Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574339
MD5:	0477f6f0ffa9d220785c139059ae2073
SHA1:	f10ee145e3ac6cfdb7ff5ed6bd771b0ebfb6b167
SHA256:	aaeb494a59910158966871b3af6c498bb5541e5dd9c53fba35897db57c9b4f54
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7876 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0477F6F0FFA9D220785C139059AE2073)

taskkill.exe (PID: 7936 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 8048 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 8112 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 8176 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6368 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 1412 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3976 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5668 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3276 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25358 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c88cb1df-c4c7-48fc-8cea-8a402398f5b9} 5668 "\\.\pipe\gecko-crash-server-pipe.5668" 273fd16e710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 332 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4200 -parentBuildID 20230927232528 -prefsHandle 3940 -prefMapHandle 4192 -prefsLen 26308 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07ec12a2-6adc-446b-8620-3205216fb253} 5668 "\\.\pipe\gecko-crash-server-pipe.5668" 273fd183610 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1784 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5072 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5064 -prefMapHandle 5060 -prefsLen 33184 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31127174-00d4-4db6-aba6-974133e70ee5} 5668 "\\.\pipe\gecko-crash-server-pipe.5668" 2738eb48f10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7876	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0022EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0022EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0022ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0022ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0022EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0021AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0021AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00249576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00249576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1288890905.0000000000272000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a618338f-3
Source: file.exe, 00000000.00000000.1288890905.0000000000272000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_627589a2-4
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a7dbe0f7-7
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8282c5ee-2

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000251794B9D77 NtQuerySystemInformation,		18_2_00000251794B9D77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000251794D2D32 NtQuerySystemInformation,		18_2_00000251794D2D32

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0021D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0021D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00211201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00211201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0021E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0021E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001BBF40	0_2_001BBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00222046	0_2_00222046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B8060	0_2_001B8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00218298	0_2_00218298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001EE4FF	0_2_001EE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E676B	0_2_001E676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00244873	0_2_00244873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001DCAA0	0_2_001DCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001BCAF0	0_2_001BCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001CCC39	0_2_001CCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E6DD9	0_2_001E6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001CB119	0_2_001CB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B91C0	0_2_001B91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D1394	0_2_001D1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D1706	0_2_001D1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D781B	0_2_001D781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B7920	0_2_001B7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C997D	0_2_001C997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D19B0	0_2_001D19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D7A4A	0_2_001D7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D1C77	0_2_001D1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D7CA7	0_2_001D7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023BE44	0_2_0023BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E9EEE	0_2_001E9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D1F32	0_2_001D1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000251794B9D77	18_2_00000251794B9D77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000251794D2D32	18_2_00000251794D2D32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000251794D345C	18_2_00000251794D345C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000251794D2D72	18_2_00000251794D2D72

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 001CF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 001B9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 001D0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/34@65/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002237B5 GetLastError,FormatMessageW,

0_2_002237B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002110BF AdjustTokenPrivileges,CloseHandle,		0_2_002110BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002116C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002251CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0021D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0021D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0022648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0022648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001B42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25358 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c88cb1df-c4c7-48fc-8cea-8a402398f5b9} 5668 "\\.\pipe\gecko-crash-server-pipe.5668" 273fd16e710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4200 -parentBuildID 20230927232528 -prefsHandle 3940 -prefMapHandle 4192 -prefsLen 26308 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07ec12a2-6adc-446b-8620-3205216fb253} 5668 "\\.\pipe\gecko-crash-server-pipe.5668" 273fd183610 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5072 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5064 -prefMapHandle 5060 -prefsLen 33184 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31127174-00d4-4db6-aba6-974133e70ee5} 5668 "\\.\pipe\gecko-crash-server-pipe.5668" 2738eb48f10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25358 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c88cb1df-c4c7-48fc-8cea-8a402398f5b9} 5668 "\\.\pipe\gecko-crash-server-pipe.5668" 273fd16e710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4200 -parentBuildID 20230927232528 -prefsHandle 3940 -prefMapHandle 4192 -prefsLen 26308 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07ec12a2-6adc-446b-8620-3205216fb253} 5668 "\\.\pipe\gecko-crash-server-pipe.5668" 273fd183610 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5072 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5064 -prefMapHandle 5060 -prefsLen 33184 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31127174-00d4-4db6-aba6-974133e70ee5} 5668 "\\.\pipe\gecko-crash-server-pipe.5668" 2738eb48f10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001B42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D0A76 push ecx; ret

0_2_001D0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001CF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_001CF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00241C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00241C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95737

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_00000251794B9D77 rdtsc

18_2_00000251794B9D77

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.9 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0021DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001EC2A2 FindFirstFileExW,	0_2_001EC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002268EE FindFirstFileW,FindClose,	0_2_002268EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0022698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0021D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0021D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00229642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00229642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0022979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00229B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00229B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00225C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00225C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001B42DE

Source: firefox.exe, 00000010.00000002.2562698950.000002110FB00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
Source: firefox.exe, 00000014.00000002.2555773410.00000181047EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpN
Source: firefox.exe, 00000010.00000002.2562698950.000002110FB00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: firefox.exe, 00000010.00000002.2562698950.000002110FB00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2556036282.0000025178D3A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2562151567.0000025179540000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2561420139.0000018104CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.2561957242.000002110FA19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.2557602411.000002110F6CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.2562698950.000002110FB00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2562151567.0000025179540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_00000251794B9D77 rdtsc

18_2_00000251794B9D77

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0022EAA2 BlockInput,

0_2_0022EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001E2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001B42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D4CE8 mov eax, dword ptr fs:[00000030h]

0_2_001D4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00210B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00210B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001E2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001D083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D09D5 SetUnhandledExceptionFilter,	0_2_001D09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001D0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00211201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001F2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001F2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0021B226 SendInput,keybd_event,

0_2_0021B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002322DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00210B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00211663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00211663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D0698 cpuid

0_2_001D0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0020D21C GetLocalTime,

0_2_0020D21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0020D27A GetUserNameW,

0_2_0020D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001EB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_001EB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001B42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7876, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7876, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00231204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00231204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00231806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00231806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	24%	ReversingLabs	Win32.Ransomware.Generic
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.65.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.110	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.19.14	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.65.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000014.00000002.2557732440.0000018104BC4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.1471726671.000002739523E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390874550.0000027395240000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568318894.000002739523E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.2558370735.000002110F872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2557604962.0000025178F87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2557732440.0000018104B8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.1400709295.00000273957EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526361183.00000273957EC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.1528225213.00000273953F2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg	firefox.exe, 0000000E.00000003.1523895616.00000273FF2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2558370735.000002110F8C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2557604962.0000025178FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2561655515.0000018104E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.1361859283.000002738CF3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1361686648.000002738CF20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1362020407.000002738CF5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1361440831.000002738CD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1362247591.000002738CF7B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.1549552403.000002738E8C4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.1524118195.0000027398046000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513912321.0000027398044000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700	firefox.exe, 0000000E.00000003.1523895616.00000273FF2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2558370735.000002110F8C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2557604962.0000025178FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2561655515.0000018104E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.1401224677.000002739519F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.1476209352.000002738E064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1361859283.000002738CF3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1361686648.000002738CF20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1362020407.000002738CF5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1361440831.000002738CD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1362247591.000002738CF7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420203801.000002738E1BD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.1547548736.000002738F30F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.1361859283.000002738CF3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1361686648.000002738CF20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1362020407.000002738CF5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1361440831.000002738CD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1362247591.000002738CF7B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta	firefox.exe, 0000000E.00000003.1523895616.00000273FF2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2558370735.000002110F8C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2557604962.0000025178FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2561655515.0000018104E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000E.00000003.1411486364.000002738E950000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://exslt.org/sets	firefox.exe, 0000000E.00000003.1531009048.00000273FF28A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.1537673275.0000027390AAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1537553469.0000027390AF3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.1534721618.000002739590B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 0000000E.00000003.1427046571.000002738E7F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1423629407.000002738E7F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1427784421.000002738E7F1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://exslt.org/common	firefox.exe, 0000000E.00000003.1531009048.00000273FF28A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.1516248039.000002739566A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526361183.0000027395762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1400956714.0000027395774000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1400956714.0000027395735000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.1491965999.00000273FF87D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1572967137.00000273FF87D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1497423243.00000273FF87D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1501744891.00000273FF87D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.1513912321.0000027398044000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2557604962.0000025178F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2557732440.0000018104B0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.1422340199.000002738EF8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1422641488.000002738EF8A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.1547548736.000002738F36D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.1400709295.00000273957EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526361183.00000273957EC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.1537284331.000002739513B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000014.00000002.2557732440.0000018104BC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.1420384853.000002738E193000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420173205.000002738EF87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1421119788.000002738E1A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1425445384.000002738EFEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1421119788.000002738E193000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1422340199.000002738EF87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420384853.000002738E141000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1421009977.000002738E138000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1421119788.000002738E13B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.1570425513.000002738E737000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.1516921596.0000027395638000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://detectportal.firefox.comP	firefox.exe, 0000000E.00000003.1537801171.0000027390A9D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.1549552403.000002738E8C4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.1528225213.00000273953F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2557604962.0000025178F12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2557732440.0000018104B13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.1400709295.00000273957EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526361183.00000273957EC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://spocs.getpocket.com/CN=The	firefox.exe, 00000014.00000002.2557732440.0000018104B13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.1401224677.000002739519F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.1515889482.000002739594B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534338200.000002739594B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526033380.000002739594B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.1421437052.000002738E12D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.njy8xaI_aUJp	firefox.exe, 0000000E.00000003.1533729803.0000027398150000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.1427375247.000002738E7EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1541941882.00000273901C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570425513.000002738E73F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1417590061.000002738E0DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1494075832.000002738CF08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547548736.000002738F36D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475035601.000002738E9F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1490050943.000002738E9A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1476209352.000002738E0C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1438347927.000002738E19D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1427784421.000002738E7EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1421605392.000002738E1C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570425513.000002738E72D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467701071.000002738E194000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1493778222.000002738E99C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565614962.000002738C772000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1572037974.000002738CF3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1369019016.000002738E0D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1393197300.00000273952B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1576894945.0000027390B20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564782101.000002738E11B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.1542479480.000002739016F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.1541350674.0000027390330000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 0000000E.00000003.1411486364.000002738E950000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413642306.000002738ECD3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1517820988.00000273951EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1401224677.00000273951EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529058491.00000273951EB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.1524118195.0000027398051000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513912321.0000027398051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.1524118195.0000027398051000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513912321.0000027398051000.00000004.00000800.00020000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.1515889482.000002739594B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534338200.000002739594B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526033380.000002739594B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.1471726671.000002739523E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568318894.000002739523E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.1400956714.0000027395735000.00000004.00000800.00020000.00000000.sdmp	false	high
http://exslt.org/dates-and-times$	firefox.exe, 0000000E.00000003.1531330806.00000273FF261000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.1493452218.000002738C734000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1364930689.000002738C733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1469879613.000002738C739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1364694062.000002738C717000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1363689055.000002738C733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1502195603.000002738C739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565858269.000002738C739000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.1420203801.000002738E1AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1421605392.000002738E1A8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.1540445011.0000027390349000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.1422573726.000002738EF66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1421605392.000002738E1A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1422973415.000002738EF6D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.1491965999.00000273FF87D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1493452218.000002738C734000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1572967137.00000273FF87D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1364930689.000002738C733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1469879613.000002738C739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1364694062.000002738C717000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1497423243.00000273FF87D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1501744891.00000273FF87D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1363689055.000002738C733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1502195603.000002738C739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565858269.000002738C739000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.1537284331.000002739513B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.1536011998.000002739567F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.1400709295.00000273957EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526361183.00000273957EC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.1533071021.00000273FF2DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1523895616.00000273FF2DC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.2561284388.000002110F900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2561187782.0000025179460000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2560910095.0000018104C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.1362247591.000002738CF7B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000E.00000003.1401161824.000002739571D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1361440831.000002738CD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1362247591.000002738CF7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420203801.000002738E1BD000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.110	youtube.com	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574339
Start date and time:	2024-12-13 08:54:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/34@65/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 96% Number of executed functions: 50 Number of non-executed functions: 289
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.228.225.150, 35.85.93.176, 54.213.181.160, 142.250.181.142, 88.221.134.155, 88.221.134.209, 142.250.181.138, 142.250.181.74, 13.107.246.63, 23.218.208.109, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 5668 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
02:55:42	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.121.53
FASTLYUS	secure.htm	Get hash	malicious	HTMLPhisher	Browse	185.199.110.153
	archive.htm	Get hash	malicious	HTMLPhisher	Browse	185.199.111.153
	in.exe	Get hash	malicious	Babadeda, HTMLPhisher	Browse	185.199.108.153
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.1.137
	goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	151.101.1.137
	creamkissingthingswithcreambananapackagecreamy.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.1.137
ATGS-MMD-ASUS	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.0.41.226
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	51.92.80.67
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.252.209.208
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f4bfca67-9f15-4210-9b05-fd5b6de50c36.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.175399420800402
Encrypted:	false
SSDEEP:	192:2MMXN5acbhbVbTbfbRbObtbyEl7nErHJA6unSrDtTkdyS+:2tGcNhnzFSJkru1nSrDhkdyv
MD5:	DFC0B04351BD1FCE0AB9E05B179411A4
SHA1:	67D7E6157BCBFB11BC563CB47B3C3E5BC31A5BA4
SHA-256:	13498B9F9F566CF8C3F7CF4F6981359C2A7EE39FF2C1BD000F7B59BD4B366727
SHA-512:	B06BD48B9C155F7EC56AD390C832A7BD23F4A6CA3531D09A7CD6FC6A18269E65C86F298B31C9809A34C3DD4EAEE8387A8AB49F6BC8309F0D29A37295945384FE
Malicious:	false
Preview:	{"type":"uninstall","id":"f4bfca67-9f15-4210-9b05-fd5b6de50c36","creationDate":"2024-12-13T09:51:30.646Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"c52d5856-ece5-494f-aabd-86188f9ce2c7","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f4bfca67-9f15-4210-9b05-fd5b6de50c36.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.175399420800402
Encrypted:	false
SSDEEP:	192:2MMXN5acbhbVbTbfbRbObtbyEl7nErHJA6unSrDtTkdyS+:2tGcNhnzFSJkru1nSrDhkdyv
MD5:	DFC0B04351BD1FCE0AB9E05B179411A4
SHA1:	67D7E6157BCBFB11BC563CB47B3C3E5BC31A5BA4
SHA-256:	13498B9F9F566CF8C3F7CF4F6981359C2A7EE39FF2C1BD000F7B59BD4B366727
SHA-512:	B06BD48B9C155F7EC56AD390C832A7BD23F4A6CA3531D09A7CD6FC6A18269E65C86F298B31C9809A34C3DD4EAEE8387A8AB49F6BC8309F0D29A37295945384FE
Malicious:	false
Preview:	{"type":"uninstall","id":"f4bfca67-9f15-4210-9b05-fd5b6de50c36","creationDate":"2024-12-13T09:51:30.646Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"c52d5856-ece5-494f-aabd-86188f9ce2c7","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.936864333273975
Encrypted:	false
SSDEEP:	96:gjziNFS+O2PUFzOdwNIOd8jvYRGrL7itU8P:gjziNFS+OyUxOdwiOd8jTLYU8P
MD5:	B4AA949495CE0F3A0F40FD9B289E0E05
SHA1:	48A0F08D8C62BE37F710EE73FA617D6B93C1C607
SHA-256:	78FABDD80D9198CCF3EC0E10EA861D4E90ADFA3361062A71ED52EBFE0C7DB8F8
SHA-512:	DEED191803F581019DA778DFB8D4E42FA6C07947BF3D3874D10954EA94257C2E76B4E311B377049955DA2414CCCB06A5ECDFE379F740FB157BDDF6828FE0DA6A
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"22cb469c-1a0f-4c4f-8465-adc25b4d990d","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T09:51:32.910Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.936864333273975
Encrypted:	false
SSDEEP:	96:gjziNFS+O2PUFzOdwNIOd8jvYRGrL7itU8P:gjziNFS+OyUxOdwiOd8jTLYU8P
MD5:	B4AA949495CE0F3A0F40FD9B289E0E05
SHA1:	48A0F08D8C62BE37F710EE73FA617D6B93C1C607
SHA-256:	78FABDD80D9198CCF3EC0E10EA861D4E90ADFA3361062A71ED52EBFE0C7DB8F8
SHA-512:	DEED191803F581019DA778DFB8D4E42FA6C07947BF3D3874D10954EA94257C2E76B4E311B377049955DA2414CCCB06A5ECDFE379F740FB157BDDF6828FE0DA6A
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"22cb469c-1a0f-4c4f-8465-adc25b4d990d","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T09:51:32.910Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27954 bytes
Category:	dropped
Size (bytes):	6084
Entropy (8bit):	6.624738020708981
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1j29U:JTx2x2t0FDJ4NF6ILPd+Md0k+ut
MD5:	CB318284906011DF19C1FF12968CFE0F
SHA1:	33AFCC8919192C4ACA86C1FB49E03B3BCE28350E
SHA-256:	890CA28C86AEDD214C1C98F401179DFE4CFBDC05352E6E696A455E56FD9BC8ED
SHA-512:	15CEDA0D905A625F7F843EA687B180855E5F27062BD51E916C020F8182F4603256A4D24831F10C58DF6D82A09F95456992916F4C0B7627E93AB581F8DFAFA719
Malicious:	false
Preview:	mozLz40.2m....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27954 bytes
Category:	dropped
Size (bytes):	6084
Entropy (8bit):	6.624738020708981
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1j29U:JTx2x2t0FDJ4NF6ILPd+Md0k+ut
MD5:	CB318284906011DF19C1FF12968CFE0F
SHA1:	33AFCC8919192C4ACA86C1FB49E03B3BCE28350E
SHA-256:	890CA28C86AEDD214C1C98F401179DFE4CFBDC05352E6E696A455E56FD9BC8ED
SHA-512:	15CEDA0D905A625F7F843EA687B180855E5F27062BD51E916C020F8182F4603256A4D24831F10C58DF6D82A09F95456992916F4C0B7627E93AB581F8DFAFA719
Malicious:	false
Preview:	mozLz40.2m....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.188139169100479
Encrypted:	false
SSDEEP:	768:Y8I4ovfnXg4p6z4d4fv4A4RYhvMM4lV4PX4P45I464x:366vM0
MD5:	83BB625BB55A7C6258C8A955E9355247
SHA1:	F471A0899DA8F9D1891FE84EEE57F49A483BD354
SHA-256:	43EDDA472C6BF4E1D8930DE16766D904D45CFAB872BE0EFD34A97C9A7FF6C2F1
SHA-512:	5DFB70D3E2766CC995FA5376BDC80695240F110D50796264F94DC8F4BBD57C284062DDC5B175F77BE81F10E3222132A77E4A904E44A358F1CFBADD5DBFD14B9E
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{00c60170-fd9d-4229-8c0b-f2fb3c217cc3}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.188139169100479
Encrypted:	false
SSDEEP:	768:Y8I4ovfnXg4p6z4d4fv4A4RYhvMM4lV4PX4P45I464x:366vM0
MD5:	83BB625BB55A7C6258C8A955E9355247
SHA1:	F471A0899DA8F9D1891FE84EEE57F49A483BD354
SHA-256:	43EDDA472C6BF4E1D8930DE16766D904D45CFAB872BE0EFD34A97C9A7FF6C2F1
SHA-512:	5DFB70D3E2766CC995FA5376BDC80695240F110D50796264F94DC8F4BBD57C284062DDC5B175F77BE81F10E3222132A77E4A904E44A358F1CFBADD5DBFD14B9E
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{00c60170-fd9d-4229-8c0b-f2fb3c217cc3}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07327669442631901
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkio:DLhesh7Owd4+jio
MD5:	15C11D9F3D1AA1F34A36E002742095E2
SHA1:	0A8C0EBF26DF7DA1D3B9D41A83352663BD3073AE
SHA-256:	A45BAD79B1CFAF3B82ECF3FAD33423CC3B19DD04F2A521EC335032161595B9B4
SHA-512:	ABDF334FFAC85DA98083CAC3D0B7ABA3BC298C2F2DB2DEC9C1A17CC48D57C5523ABB6FAFE021E924F108347F43C30381823BFEAFE5331B1804D10DB527DD97B9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFt3LOPBmAttlstFt3LOPBmvllJ89//alEl:GtWtoxttWtoE89XuM
MD5:	90E2356464E6257ECFE092F174F1C98D
SHA1:	93FE07A906D991C8B85EEBD1A8819734842A3E78
SHA-256:	3A564725772B0C1930FF1F4C99233138B721DB1FF294931B1809010EAB67A1FF
SHA-512:	22211848154EA6BDE2CD2FF532D1C37B99A579274FC91C9BFB1D6A8C5033EEE8D8873D9D952F499339C5E0343A0CD2B367CDFEFED3270D13A5F578B1627D46E8
Malicious:	false
Preview:	..-.....................:R..(`.W.q.?...lZ.Zd.....-.....................:R..(`.W.q.?...lZ.Zd...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03963053308770313
Encrypted:	false
SSDEEP:	3:Ol1EK2lfx7RSd3wfDl8rEXsxdwhml8XW3R2:KOFSd3+l8dMhm93w
MD5:	B0F0CE750A5560AC17E0995B0150F868
SHA1:	858029CA70A64F1A1F1ACE9192914D52565B6962
SHA-256:	51E28C20F0CBD7F0DBCCD768E5B39007152C1A301BED3B8ECDF2368D1B18AD13
SHA-512:	F7F5FE3B7A764A1044BE098378381A04275068636C51C12D4D8F2C14CB406BB88553769E7658B9AEB3ED8C0EB27739E26BB2965409A4A75F74B446C91772E076
Malicious:	false
Preview:	7....-...........q.?...l..t.:.D..........q.?...l.R:W.`(................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1808), with CRLF line terminators
Category:	dropped
Size (bytes):	14172
Entropy (8bit):	5.464703470888325
Encrypted:	false
SSDEEP:	192:snBRNZ3YbBp6QR1+PaXQ6/x8lgWz9/3/74f5RHNBw8dOSl:sen1n/xBm9WPwp0
MD5:	7A497D0296C1F2B968D671EEF5593A18
SHA1:	4B4E707B750C1A8DABF47882CD0956BED99F3D69
SHA-256:	B1B1257DFE735922ACCE2C05FD4613C0F5AD0DBADD01F4B0AE4D2BB5A90397E4
SHA-512:	1BF144299882C13DC7D5598A73A699A5CF254B3677A88551C2380F06BC19DBE41D6C6FD547F2E9E216198FC4F59D8F1E49BC8FF28DDD0E56B8CA09227C1E3614
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "ecedec8f-7097-47fc-a9e3-d74f0c8e2503");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734083460);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734083460);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734083460);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173408

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1808), with CRLF line terminators
Category:	dropped
Size (bytes):	14172
Entropy (8bit):	5.464703470888325
Encrypted:	false
SSDEEP:	192:snBRNZ3YbBp6QR1+PaXQ6/x8lgWz9/3/74f5RHNBw8dOSl:sen1n/xBm9WPwp0
MD5:	7A497D0296C1F2B968D671EEF5593A18
SHA1:	4B4E707B750C1A8DABF47882CD0956BED99F3D69
SHA-256:	B1B1257DFE735922ACCE2C05FD4613C0F5AD0DBADD01F4B0AE4D2BB5A90397E4
SHA-512:	1BF144299882C13DC7D5598A73A699A5CF254B3677A88551C2380F06BC19DBE41D6C6FD547F2E9E216198FC4F59D8F1E49BC8FF28DDD0E56B8CA09227C1E3614
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "ecedec8f-7097-47fc-a9e3-d74f0c8e2503");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734083460);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734083460);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734083460);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173408

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	6.363075884199562
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSM4VLXnIg4/pnxQwRlszT5sB043eHVFseKuOPamhufJ3+OuSEUm0WH:GUpOx6onR6A3eHOPMOrSuH
MD5:	2FBFBE9F2F5A787F658C88932CD0FE8A
SHA1:	972ED3CBCDE1421810A20CF992711A733DB83F71
SHA-256:	66DB797F82CD498BF75EC0D6467139EBCB0F036A4DCD1868046A6FA47CF7F5CC
SHA-512:	140DD0DC0263CE7D304F5EEEDA40DE203DB2E97D8BE85DEC8F5382FFD43045253EE7FB8FBD9DC784A3BD0C12182E8B72FF9CEB7FDBD8A93891D31F005B144A7E
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{42a7356f-de1e-479a-82b5-665d13ed2a8a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734083464906,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...f44a76a6-556e-4dc8-8bf2-cf26f02d08a[..zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..P29885...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A93e1b9c34761ff8e8daa914c9d20b354e9b09a60c2e612021388b36b843ead3e","path":"/","na..`"taarI!.bsecure...,`.Donly..fexpiry...34606,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	6.363075884199562
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSM4VLXnIg4/pnxQwRlszT5sB043eHVFseKuOPamhufJ3+OuSEUm0WH:GUpOx6onR6A3eHOPMOrSuH
MD5:	2FBFBE9F2F5A787F658C88932CD0FE8A
SHA1:	972ED3CBCDE1421810A20CF992711A733DB83F71
SHA-256:	66DB797F82CD498BF75EC0D6467139EBCB0F036A4DCD1868046A6FA47CF7F5CC
SHA-512:	140DD0DC0263CE7D304F5EEEDA40DE203DB2E97D8BE85DEC8F5382FFD43045253EE7FB8FBD9DC784A3BD0C12182E8B72FF9CEB7FDBD8A93891D31F005B144A7E
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{42a7356f-de1e-479a-82b5-665d13ed2a8a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734083464906,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...f44a76a6-556e-4dc8-8bf2-cf26f02d08a[..zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..P29885...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A93e1b9c34761ff8e8daa914c9d20b354e9b09a60c2e612021388b36b843ead3e","path":"/","na..`"taarI!.bsecure...,`.Donly..fexpiry...34606,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	6.363075884199562
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSM4VLXnIg4/pnxQwRlszT5sB043eHVFseKuOPamhufJ3+OuSEUm0WH:GUpOx6onR6A3eHOPMOrSuH
MD5:	2FBFBE9F2F5A787F658C88932CD0FE8A
SHA1:	972ED3CBCDE1421810A20CF992711A733DB83F71
SHA-256:	66DB797F82CD498BF75EC0D6467139EBCB0F036A4DCD1868046A6FA47CF7F5CC
SHA-512:	140DD0DC0263CE7D304F5EEEDA40DE203DB2E97D8BE85DEC8F5382FFD43045253EE7FB8FBD9DC784A3BD0C12182E8B72FF9CEB7FDBD8A93891D31F005B144A7E
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{42a7356f-de1e-479a-82b5-665d13ed2a8a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734083464906,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...f44a76a6-556e-4dc8-8bf2-cf26f02d08a[..zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..P29885...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A93e1b9c34761ff8e8daa914c9d20b354e9b09a60c2e612021388b36b843ead3e","path":"/","na..`"taarI!.bsecure...,`.Donly..fexpiry...34606,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3669
Entropy (8bit):	4.966905329761238
Encrypted:	false
SSDEEP:	48:YrSAYOKZUQcpCB7aQYWBVNVV7WOzzc8HYMsku7f86SLAVL785FtsfAcbyJFdWw27:yc3NOWuCQOzzcbvbw6KkOrc2Rn27
MD5:	868AD433A6941F4DB49CCF26201EDF98
SHA1:	A40225FA68B1C54C786E7E44F7EA434A02DB9F59
SHA-256:	D995BD52A3FB9E1D81B1CF642F60A64BDD2116287A446AEB1D21DD2652446D00
SHA-512:	5F55C3174331F87EAB6E2B44A04B65D1AAB50A71A56721E0BC11EB48F862E3DF090CC24BDBF25AB16A6CE79FC3262E3C988A6BF675654C013DAC071889E0E5BD
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T09:50:44.069Z","profileAgeCreated":1696499488915,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true},"screenshots@mozilla.org":{"version":"39.0.1","type":"extension","isSystem":true,"isWebExt

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3669
Entropy (8bit):	4.966905329761238
Encrypted:	false
SSDEEP:	48:YrSAYOKZUQcpCB7aQYWBVNVV7WOzzc8HYMsku7f86SLAVL785FtsfAcbyJFdWw27:yc3NOWuCQOzzcbvbw6KkOrc2Rn27
MD5:	868AD433A6941F4DB49CCF26201EDF98
SHA1:	A40225FA68B1C54C786E7E44F7EA434A02DB9F59
SHA-256:	D995BD52A3FB9E1D81B1CF642F60A64BDD2116287A446AEB1D21DD2652446D00
SHA-512:	5F55C3174331F87EAB6E2B44A04B65D1AAB50A71A56721E0BC11EB48F862E3DF090CC24BDBF25AB16A6CE79FC3262E3C988A6BF675654C013DAC071889E0E5BD
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T09:50:44.069Z","profileAgeCreated":1696499488915,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true},"screenshots@mozilla.org":{"version":"39.0.1","type":"extension","isSystem":true,"isWebExt

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.707301081587081
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	972'288 bytes
MD5:	0477f6f0ffa9d220785c139059ae2073
SHA1:	f10ee145e3ac6cfdb7ff5ed6bd771b0ebfb6b167
SHA256:	aaeb494a59910158966871b3af6c498bb5541e5dd9c53fba35897db57c9b4f54
SHA512:	14285390b2c2ed1143eba8df2c4602761ed2651549b31a505be7828bc9fc4e8d9f7887a341a6087f0618fbd14c5992238179a36cb82a5215f0337e41cd5f5223
SSDEEP:	24576:cqDEvCTbMWu7rQYlBQcBiT6rprG8av1vr:cTvC/MTQYxsWR7av
TLSH:	60259E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675BE1E1 [Fri Dec 13 07:27:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F3A687F0EF3h
jmp 00007F3A687F07FFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3A687F09DDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3A687F09AAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F3A687F359Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F3A687F35E8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F3A687F35D1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x16a70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x16a70	0x16c00	bcdc19b74f1fc380c21093a2f1ba9c4c	False	0.7066878434065934	data	7.194992025794928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xdbf2	data			1.000461762511988
RT_GROUP_ICON	0xea4f0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xea568	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xea57c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xea590	0x14	data	English	Great Britain	1.25
RT_VERSION	0xea5a4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xea680	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:55:42.246835947 CET	49726	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:55:42.246942997 CET	443	49726	35.190.72.216	192.168.2.10
Dec 13, 2024 08:55:42.247498989 CET	49726	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:55:42.291260004 CET	49726	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:55:42.291301966 CET	443	49726	35.190.72.216	192.168.2.10
Dec 13, 2024 08:55:42.291903019 CET	49727	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:42.292133093 CET	49728	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:42.292231083 CET	443	49728	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:42.292299986 CET	49729	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:42.292320967 CET	443	49729	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:42.292438030 CET	49728	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:42.292550087 CET	49729	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:42.294014931 CET	49728	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:42.294064045 CET	443	49728	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:42.295391083 CET	49729	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:42.295408964 CET	443	49729	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:42.411608934 CET	80	49727	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:42.413220882 CET	49727	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:42.413381100 CET	49727	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:42.533041954 CET	80	49727	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:42.863254070 CET	49735	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:42.863323927 CET	443	49735	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:42.864068985 CET	49735	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:42.865493059 CET	49735	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:42.865521908 CET	443	49735	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:43.049551010 CET	49736	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:43.049613953 CET	443	49736	35.244.181.201	192.168.2.10
Dec 13, 2024 08:55:43.049926996 CET	49737	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:43.049937963 CET	443	49737	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:43.051744938 CET	49736	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:43.051781893 CET	49737	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:43.052016020 CET	49736	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:43.052032948 CET	443	49736	35.244.181.201	192.168.2.10
Dec 13, 2024 08:55:43.053539991 CET	49737	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:43.053556919 CET	443	49737	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:43.498761892 CET	80	49727	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:43.507914066 CET	443	49726	35.190.72.216	192.168.2.10
Dec 13, 2024 08:55:43.508502960 CET	49726	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:55:43.553858042 CET	49738	443	192.168.2.10	34.160.144.191
Dec 13, 2024 08:55:43.553909063 CET	443	49738	34.160.144.191	192.168.2.10
Dec 13, 2024 08:55:43.554126024 CET	49738	443	192.168.2.10	34.160.144.191
Dec 13, 2024 08:55:43.554256916 CET	49738	443	192.168.2.10	34.160.144.191
Dec 13, 2024 08:55:43.554265976 CET	443	49738	34.160.144.191	192.168.2.10
Dec 13, 2024 08:55:43.555352926 CET	49727	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:43.568290949 CET	49726	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:55:43.568320990 CET	443	49726	35.190.72.216	192.168.2.10
Dec 13, 2024 08:55:43.568619967 CET	443	49726	35.190.72.216	192.168.2.10
Dec 13, 2024 08:55:43.570987940 CET	49726	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:55:43.576953888 CET	49726	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:55:43.576972961 CET	443	49726	35.190.72.216	192.168.2.10
Dec 13, 2024 08:55:43.698328018 CET	49739	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:43.818248987 CET	80	49739	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:43.828006029 CET	49739	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:43.828079939 CET	49739	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:43.947710991 CET	80	49739	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:43.990119934 CET	443	49728	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:43.990569115 CET	49728	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:43.990848064 CET	443	49728	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:43.993149042 CET	443	49729	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:43.994153976 CET	443	49729	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:43.995338917 CET	443	49728	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:43.999341011 CET	443	49729	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:44.003611088 CET	49729	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:44.003616095 CET	49728	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:44.003740072 CET	49728	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:44.003823996 CET	49729	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:44.087353945 CET	443	49735	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:44.091439962 CET	49735	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:44.100584984 CET	49728	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:44.100603104 CET	443	49728	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:44.100827932 CET	49728	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:44.100929022 CET	443	49728	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:44.111696959 CET	49728	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:44.116589069 CET	49729	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:44.116611004 CET	443	49729	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:44.116668940 CET	49729	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:44.116918087 CET	443	49729	142.250.181.110	192.168.2.10
Dec 13, 2024 08:55:44.126773119 CET	49735	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:44.126801968 CET	443	49735	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:44.126837969 CET	49729	443	192.168.2.10	142.250.181.110
Dec 13, 2024 08:55:44.126952887 CET	443	49735	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:44.126964092 CET	49735	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:44.126972914 CET	443	49735	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:44.268289089 CET	443	49736	35.244.181.201	192.168.2.10
Dec 13, 2024 08:55:44.268363953 CET	49736	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:44.271362066 CET	49736	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:44.271370888 CET	443	49736	35.244.181.201	192.168.2.10
Dec 13, 2024 08:55:44.271703959 CET	443	49736	35.244.181.201	192.168.2.10
Dec 13, 2024 08:55:44.274796009 CET	443	49737	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:44.275048018 CET	49736	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:44.275141001 CET	49736	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:44.275280952 CET	443	49736	35.244.181.201	192.168.2.10
Dec 13, 2024 08:55:44.275300026 CET	49736	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:44.275326014 CET	49737	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:44.276333094 CET	49736	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:44.280519962 CET	49737	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:44.280529022 CET	443	49737	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:44.280613899 CET	49737	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:44.280914068 CET	443	49737	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:44.281003952 CET	49737	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:44.335330963 CET	443	49735	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:44.335410118 CET	49735	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:44.609198093 CET	49727	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:44.726303101 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:44.729383945 CET	80	49727	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:44.729465961 CET	49727	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:44.770077944 CET	443	49738	34.160.144.191	192.168.2.10
Dec 13, 2024 08:55:44.770235062 CET	49738	443	192.168.2.10	34.160.144.191
Dec 13, 2024 08:55:44.773504972 CET	49738	443	192.168.2.10	34.160.144.191
Dec 13, 2024 08:55:44.773518085 CET	443	49738	34.160.144.191	192.168.2.10
Dec 13, 2024 08:55:44.773778915 CET	443	49738	34.160.144.191	192.168.2.10
Dec 13, 2024 08:55:44.776506901 CET	49738	443	192.168.2.10	34.160.144.191
Dec 13, 2024 08:55:44.776595116 CET	49738	443	192.168.2.10	34.160.144.191
Dec 13, 2024 08:55:44.776662111 CET	443	49738	34.160.144.191	192.168.2.10
Dec 13, 2024 08:55:44.776968002 CET	49738	443	192.168.2.10	34.160.144.191
Dec 13, 2024 08:55:44.846043110 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:44.847541094 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:44.848090887 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:44.913100958 CET	80	49739	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:44.913516045 CET	49739	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:44.967808962 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:45.003015041 CET	49748	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:45.003065109 CET	443	49748	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:45.010394096 CET	49748	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:45.011828899 CET	49748	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:45.011852980 CET	443	49748	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:45.034337044 CET	80	49739	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:45.034785032 CET	49739	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:45.139544964 CET	49749	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:45.139584064 CET	443	49749	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:45.139753103 CET	49749	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:45.149756908 CET	49749	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:45.149785995 CET	443	49749	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:45.821284056 CET	49750	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:45.821346045 CET	443	49750	34.107.243.93	192.168.2.10
Dec 13, 2024 08:55:45.834736109 CET	49750	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:45.836415052 CET	49750	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:45.836445093 CET	443	49750	34.107.243.93	192.168.2.10
Dec 13, 2024 08:55:45.933850050 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:45.988622904 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:46.240945101 CET	443	49748	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:46.240966082 CET	443	49748	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:46.241027117 CET	49748	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:46.245347023 CET	49748	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:46.245377064 CET	443	49748	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:46.245434046 CET	49748	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:46.245588064 CET	443	49748	34.117.188.166	192.168.2.10
Dec 13, 2024 08:55:46.245913029 CET	49748	443	192.168.2.10	34.117.188.166
Dec 13, 2024 08:55:46.292176008 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:46.376056910 CET	443	49749	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:46.387348890 CET	443	49749	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:46.401863098 CET	49749	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:46.405505896 CET	49749	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:46.407193899 CET	49749	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:46.407216072 CET	443	49749	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:46.407346964 CET	49749	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:46.407601118 CET	443	49749	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:46.407958031 CET	49749	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:46.411964893 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:46.412146091 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:46.412319899 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:46.532026052 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:46.675106049 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:46.794827938 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:46.920557022 CET	49753	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:46.920599937 CET	443	49753	35.244.181.201	192.168.2.10
Dec 13, 2024 08:55:46.920958996 CET	49753	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:46.921098948 CET	49753	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:46.921109915 CET	443	49753	35.244.181.201	192.168.2.10
Dec 13, 2024 08:55:46.989610910 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:47.051707029 CET	443	49750	34.107.243.93	192.168.2.10
Dec 13, 2024 08:55:47.051722050 CET	443	49750	34.107.243.93	192.168.2.10
Dec 13, 2024 08:55:47.051836967 CET	49750	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:47.052814007 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:47.057658911 CET	49750	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:47.057668924 CET	443	49750	34.107.243.93	192.168.2.10
Dec 13, 2024 08:55:47.057823896 CET	49750	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:47.057852983 CET	443	49750	34.107.243.93	192.168.2.10
Dec 13, 2024 08:55:47.057909966 CET	49750	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:47.110302925 CET	49759	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:47.110353947 CET	443	49759	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:47.110620022 CET	49759	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:47.112091064 CET	49759	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:47.112104893 CET	443	49759	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:47.498537064 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:47.538305998 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:48.134588003 CET	443	49753	35.244.181.201	192.168.2.10
Dec 13, 2024 08:55:48.138092041 CET	49753	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:48.143704891 CET	49753	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:48.143728018 CET	443	49753	35.244.181.201	192.168.2.10
Dec 13, 2024 08:55:48.144139051 CET	443	49753	35.244.181.201	192.168.2.10
Dec 13, 2024 08:55:48.145792961 CET	49753	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:48.145895004 CET	49753	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:48.145992041 CET	443	49753	35.244.181.201	192.168.2.10
Dec 13, 2024 08:55:48.147666931 CET	49753	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:55:48.333239079 CET	443	49759	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:48.333342075 CET	49759	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:48.338340998 CET	49759	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:48.338350058 CET	443	49759	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:48.338438988 CET	49759	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:48.338887930 CET	443	49759	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:48.339468002 CET	49759	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:49.328300953 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:49.448004961 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:49.642935991 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:49.645236015 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:49.646985054 CET	49766	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:49.647032976 CET	443	49766	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:49.648132086 CET	49766	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:49.649724960 CET	49766	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:49.649736881 CET	443	49766	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:49.702872038 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:49.764966011 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:49.959518909 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:50.003740072 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:50.860691071 CET	443	49766	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:50.860826969 CET	49766	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:50.865005970 CET	49766	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:50.865016937 CET	443	49766	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:50.865092039 CET	49766	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:50.865184069 CET	443	49766	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:50.865247965 CET	49766	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:52.422425985 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:52.542345047 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:52.573571920 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:52.693501949 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:52.712886095 CET	49774	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:52.712937117 CET	443	49774	34.149.100.209	192.168.2.10
Dec 13, 2024 08:55:52.713222980 CET	49774	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:52.714591026 CET	49774	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:52.714618921 CET	443	49774	34.149.100.209	192.168.2.10
Dec 13, 2024 08:55:52.737297058 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:52.785986900 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:52.888129950 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:52.949958086 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:53.931968927 CET	443	49774	34.149.100.209	192.168.2.10
Dec 13, 2024 08:55:53.932044029 CET	49774	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:53.935885906 CET	49774	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:53.935897112 CET	443	49774	34.149.100.209	192.168.2.10
Dec 13, 2024 08:55:53.936209917 CET	443	49774	34.149.100.209	192.168.2.10
Dec 13, 2024 08:55:53.936248064 CET	49774	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:53.936254978 CET	443	49774	34.149.100.209	192.168.2.10
Dec 13, 2024 08:55:53.936635017 CET	49780	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:53.936686039 CET	443	49780	34.149.100.209	192.168.2.10
Dec 13, 2024 08:55:53.936950922 CET	49780	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:53.938318014 CET	49780	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:53.938338041 CET	443	49780	34.149.100.209	192.168.2.10
Dec 13, 2024 08:55:54.044599056 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:54.143337011 CET	443	49774	34.149.100.209	192.168.2.10
Dec 13, 2024 08:55:54.144011974 CET	49774	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:54.164361000 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:54.359592915 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:54.411767006 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:54.920798063 CET	49781	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:54.920824051 CET	443	49781	34.107.243.93	192.168.2.10
Dec 13, 2024 08:55:54.920918941 CET	49781	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:54.922308922 CET	49781	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:54.922324896 CET	443	49781	34.107.243.93	192.168.2.10
Dec 13, 2024 08:55:55.150522947 CET	443	49780	34.149.100.209	192.168.2.10
Dec 13, 2024 08:55:55.150608063 CET	49780	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:55.155244112 CET	49780	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:55.155273914 CET	443	49780	34.149.100.209	192.168.2.10
Dec 13, 2024 08:55:55.155323029 CET	49780	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:55.155472994 CET	443	49780	34.149.100.209	192.168.2.10
Dec 13, 2024 08:55:55.155617952 CET	49780	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:55:55.224023104 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:55.249691010 CET	49782	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:55.249743938 CET	443	49782	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:55.250013113 CET	49783	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:55.250066042 CET	443	49783	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:55.260971069 CET	49782	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:55.260991096 CET	49783	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:55.261136055 CET	49782	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:55.261154890 CET	443	49782	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:55.261332989 CET	49783	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:55.261351109 CET	443	49783	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:55.266678095 CET	49784	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:55.266717911 CET	443	49784	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:55.266799927 CET	49784	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:55.268165112 CET	49784	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:55.268176079 CET	443	49784	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:55.343957901 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:55.538642883 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:55.591161013 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:56.133555889 CET	443	49781	34.107.243.93	192.168.2.10
Dec 13, 2024 08:55:56.133645058 CET	49781	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:56.334619999 CET	49781	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:56.334650040 CET	443	49781	34.107.243.93	192.168.2.10
Dec 13, 2024 08:55:56.334697008 CET	49781	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:56.334898949 CET	443	49781	34.107.243.93	192.168.2.10
Dec 13, 2024 08:55:56.335840940 CET	49781	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:55:56.340822935 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:56.460753918 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:56.472673893 CET	443	49782	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:56.472690105 CET	443	49782	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:56.472745895 CET	49782	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:56.478646994 CET	443	49783	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:56.478691101 CET	443	49783	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:56.478734016 CET	49783	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:56.486143112 CET	443	49784	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:56.486238003 CET	49784	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:56.524918079 CET	49783	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:56.657196045 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:56.709924936 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:57.286911011 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:57.287733078 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:57.522778034 CET	49782	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:57.522835016 CET	443	49782	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:57.522939920 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:57.523196936 CET	443	49782	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:57.526267052 CET	49783	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:57.526305914 CET	443	49783	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:57.526640892 CET	443	49783	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:57.530131102 CET	49782	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:57.530313969 CET	49782	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:57.530348063 CET	443	49782	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:57.530415058 CET	49784	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:57.530494928 CET	443	49784	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:57.530527115 CET	49784	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:57.530807018 CET	49783	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:57.530865908 CET	49783	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:57.531023979 CET	443	49783	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:57.531398058 CET	443	49784	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:57.531843901 CET	49782	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:57.531858921 CET	49783	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:57.532011986 CET	49784	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:57.642901897 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:57.837522030 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:57.882335901 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:58.171693087 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:58.180900097 CET	49790	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:58.180928946 CET	443	49790	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:58.181272030 CET	49790	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:58.182858944 CET	49790	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:58.182874918 CET	443	49790	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:58.291513920 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:58.486531973 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:55:58.530814886 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:55:59.396330118 CET	443	49790	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:59.397136927 CET	49790	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:59.402086020 CET	49790	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:59.402100086 CET	443	49790	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:59.402249098 CET	49790	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:55:59.402275085 CET	443	49790	34.120.208.123	192.168.2.10
Dec 13, 2024 08:55:59.402487040 CET	49790	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:00.148925066 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:00.190037966 CET	49796	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:00.190072060 CET	443	49796	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:00.190771103 CET	49796	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:00.192187071 CET	49796	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:00.192203999 CET	443	49796	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:00.268795967 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:00.463340044 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:00.505369902 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:00.592945099 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:00.712681055 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:00.907747984 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:00.954250097 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:01.405083895 CET	443	49796	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:01.405209064 CET	49796	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:01.410526991 CET	49796	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:01.410526991 CET	49796	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:01.410542965 CET	443	49796	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:01.410712957 CET	443	49796	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:01.412024975 CET	49796	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:01.414521933 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:01.534516096 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:01.729438066 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:01.735730886 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:01.793504953 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:01.855550051 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:02.050509930 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:02.094362974 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:06.360156059 CET	49812	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:06.360198975 CET	443	49812	34.107.243.93	192.168.2.10
Dec 13, 2024 08:56:06.360662937 CET	49812	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:06.362711906 CET	49812	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:06.362729073 CET	443	49812	34.107.243.93	192.168.2.10
Dec 13, 2024 08:56:07.574035883 CET	443	49812	34.107.243.93	192.168.2.10
Dec 13, 2024 08:56:07.575536013 CET	49812	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:07.579176903 CET	49812	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:07.579185963 CET	443	49812	34.107.243.93	192.168.2.10
Dec 13, 2024 08:56:07.579335928 CET	49812	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:07.579364061 CET	443	49812	34.107.243.93	192.168.2.10
Dec 13, 2024 08:56:07.579456091 CET	49812	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:07.582029104 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:07.701960087 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:07.896517038 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:07.900407076 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:07.942821026 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:08.020255089 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:08.215395927 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:08.259283066 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:08.825093985 CET	49817	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:08.825141907 CET	443	49817	34.149.100.209	192.168.2.10
Dec 13, 2024 08:56:08.826292992 CET	49817	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:08.826493025 CET	49817	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:08.826507092 CET	443	49817	34.149.100.209	192.168.2.10
Dec 13, 2024 08:56:08.848211050 CET	49818	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:56:08.848246098 CET	443	49818	35.190.72.216	192.168.2.10
Dec 13, 2024 08:56:08.852895975 CET	49818	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:56:08.854377031 CET	49818	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:56:08.854391098 CET	443	49818	35.190.72.216	192.168.2.10
Dec 13, 2024 08:56:08.944622993 CET	49819	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:08.944667101 CET	443	49819	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:08.944796085 CET	49819	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:08.944927931 CET	49819	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:08.944941998 CET	443	49819	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:08.994765997 CET	49820	443	192.168.2.10	35.201.103.21
Dec 13, 2024 08:56:08.994867086 CET	443	49820	35.201.103.21	192.168.2.10
Dec 13, 2024 08:56:08.995110989 CET	49820	443	192.168.2.10	35.201.103.21
Dec 13, 2024 08:56:08.996367931 CET	49820	443	192.168.2.10	35.201.103.21
Dec 13, 2024 08:56:08.996417999 CET	443	49820	35.201.103.21	192.168.2.10
Dec 13, 2024 08:56:09.045101881 CET	49821	443	192.168.2.10	151.101.65.91
Dec 13, 2024 08:56:09.045173883 CET	443	49821	151.101.65.91	192.168.2.10
Dec 13, 2024 08:56:09.045836926 CET	49821	443	192.168.2.10	151.101.65.91
Dec 13, 2024 08:56:09.046386957 CET	49821	443	192.168.2.10	151.101.65.91
Dec 13, 2024 08:56:09.046403885 CET	443	49821	151.101.65.91	192.168.2.10
Dec 13, 2024 08:56:10.037630081 CET	443	49817	34.149.100.209	192.168.2.10
Dec 13, 2024 08:56:10.037765026 CET	49817	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:10.041017056 CET	49817	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:10.041030884 CET	443	49817	34.149.100.209	192.168.2.10
Dec 13, 2024 08:56:10.041321039 CET	443	49817	34.149.100.209	192.168.2.10
Dec 13, 2024 08:56:10.043031931 CET	49817	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:10.043155909 CET	49817	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:10.043236971 CET	443	49817	34.149.100.209	192.168.2.10
Dec 13, 2024 08:56:10.047111034 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:10.047887087 CET	49817	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:10.047909021 CET	49817	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:10.067660093 CET	443	49818	35.190.72.216	192.168.2.10
Dec 13, 2024 08:56:10.067857027 CET	49818	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:56:10.071863890 CET	49818	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:56:10.071873903 CET	443	49818	35.190.72.216	192.168.2.10
Dec 13, 2024 08:56:10.071980953 CET	49818	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:56:10.072043896 CET	443	49818	35.190.72.216	192.168.2.10
Dec 13, 2024 08:56:10.072777987 CET	49818	443	192.168.2.10	35.190.72.216
Dec 13, 2024 08:56:10.155608892 CET	443	49819	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:10.155708075 CET	49819	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.159720898 CET	49819	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.159735918 CET	443	49819	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:10.160005093 CET	443	49819	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:10.162985086 CET	49819	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.163131952 CET	49819	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.163136005 CET	443	49819	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:10.163146973 CET	443	49819	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:10.166850090 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:10.212404013 CET	443	49820	35.201.103.21	192.168.2.10
Dec 13, 2024 08:56:10.212546110 CET	49820	443	192.168.2.10	35.201.103.21
Dec 13, 2024 08:56:10.217811108 CET	49820	443	192.168.2.10	35.201.103.21
Dec 13, 2024 08:56:10.217824936 CET	443	49820	35.201.103.21	192.168.2.10
Dec 13, 2024 08:56:10.218041897 CET	49820	443	192.168.2.10	35.201.103.21
Dec 13, 2024 08:56:10.218189001 CET	443	49820	35.201.103.21	192.168.2.10
Dec 13, 2024 08:56:10.218291998 CET	49820	443	192.168.2.10	35.201.103.21
Dec 13, 2024 08:56:10.232815981 CET	49826	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:10.232865095 CET	443	49826	34.149.100.209	192.168.2.10
Dec 13, 2024 08:56:10.232980967 CET	49826	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:10.233119965 CET	49826	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:10.233134985 CET	443	49826	34.149.100.209	192.168.2.10
Dec 13, 2024 08:56:10.262309074 CET	443	49821	151.101.65.91	192.168.2.10
Dec 13, 2024 08:56:10.262398005 CET	49821	443	192.168.2.10	151.101.65.91
Dec 13, 2024 08:56:10.266010046 CET	49821	443	192.168.2.10	151.101.65.91
Dec 13, 2024 08:56:10.266037941 CET	443	49821	151.101.65.91	192.168.2.10
Dec 13, 2024 08:56:10.266381025 CET	443	49821	151.101.65.91	192.168.2.10
Dec 13, 2024 08:56:10.269200087 CET	49821	443	192.168.2.10	151.101.65.91
Dec 13, 2024 08:56:10.269340038 CET	49821	443	192.168.2.10	151.101.65.91
Dec 13, 2024 08:56:10.269509077 CET	443	49821	151.101.65.91	192.168.2.10
Dec 13, 2024 08:56:10.269674063 CET	49821	443	192.168.2.10	151.101.65.91
Dec 13, 2024 08:56:10.361589909 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:10.365341902 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:10.367340088 CET	443	49819	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:10.371203899 CET	49819	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.418375969 CET	49828	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.418426037 CET	443	49828	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:10.418500900 CET	49829	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.418545961 CET	443	49829	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:10.418637991 CET	49827	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.418669939 CET	443	49827	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:10.418684006 CET	49828	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.418701887 CET	49829	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.418850899 CET	49827	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.418850899 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:10.419084072 CET	49828	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.419096947 CET	443	49828	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:10.419259071 CET	49827	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.419286966 CET	443	49827	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:10.419328928 CET	49829	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:10.419346094 CET	443	49829	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:10.485183001 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:10.680279970 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:10.735441923 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:11.443873882 CET	443	49826	34.149.100.209	192.168.2.10
Dec 13, 2024 08:56:11.443952084 CET	49826	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:11.447532892 CET	49826	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:11.447539091 CET	443	49826	34.149.100.209	192.168.2.10
Dec 13, 2024 08:56:11.447803020 CET	443	49826	34.149.100.209	192.168.2.10
Dec 13, 2024 08:56:11.450510979 CET	49826	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:11.450634003 CET	49826	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:11.450659990 CET	443	49826	34.149.100.209	192.168.2.10
Dec 13, 2024 08:56:11.452095032 CET	49826	443	192.168.2.10	34.149.100.209
Dec 13, 2024 08:56:11.454350948 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:11.574014902 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:11.632374048 CET	443	49829	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:11.632376909 CET	443	49828	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:11.632427931 CET	443	49827	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:11.632468939 CET	49829	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.632714033 CET	49828	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.632728100 CET	49827	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.635587931 CET	49829	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.635596991 CET	443	49829	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:11.635854006 CET	443	49829	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:11.638442039 CET	49828	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.638454914 CET	443	49828	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:11.638726950 CET	443	49828	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:11.640664101 CET	49827	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.640686989 CET	443	49827	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:11.640985012 CET	443	49827	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:11.644865036 CET	49829	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.645006895 CET	443	49829	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:11.645114899 CET	49829	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.645121098 CET	443	49829	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:11.645621061 CET	49828	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.645673990 CET	49828	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.645823002 CET	443	49828	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:11.646054983 CET	49827	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.646054983 CET	49827	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.646251917 CET	443	49827	35.244.181.201	192.168.2.10
Dec 13, 2024 08:56:11.646353960 CET	49828	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.646367073 CET	49827	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.646511078 CET	49829	443	192.168.2.10	35.244.181.201
Dec 13, 2024 08:56:11.768534899 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:11.772361040 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:11.822706938 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:11.892209053 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:12.087446928 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:12.139228106 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:21.775255919 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:22.091691971 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:22.214062929 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:22.214076996 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:26.900121927 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:27.020543098 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:27.215964079 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:27.219058037 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:27.259083986 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:27.339107037 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:27.534285069 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:27.575179100 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:28.385683060 CET	49867	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:28.385709047 CET	443	49867	34.107.243.93	192.168.2.10
Dec 13, 2024 08:56:28.386111975 CET	49867	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:28.387546062 CET	49867	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:28.387568951 CET	443	49867	34.107.243.93	192.168.2.10
Dec 13, 2024 08:56:29.596724987 CET	443	49867	34.107.243.93	192.168.2.10
Dec 13, 2024 08:56:29.596854925 CET	49867	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:29.601486921 CET	49867	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:29.601495981 CET	443	49867	34.107.243.93	192.168.2.10
Dec 13, 2024 08:56:29.601582050 CET	49867	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:29.601710081 CET	443	49867	34.107.243.93	192.168.2.10
Dec 13, 2024 08:56:29.602333069 CET	49867	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:56:29.604183912 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:29.723923922 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:29.918744087 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:29.922836065 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:29.966730118 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:30.042700052 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:30.237525940 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:30.283334970 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:39.654217005 CET	49893	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:39.654266119 CET	443	49893	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:39.654361010 CET	49894	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:39.654402018 CET	443	49894	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:39.654522896 CET	49893	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:39.654732943 CET	49894	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:39.654736042 CET	49893	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:39.654746056 CET	443	49893	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:39.654850960 CET	49894	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:39.654861927 CET	443	49894	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:39.926002026 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:40.045655966 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:40.242516994 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:40.362212896 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:41.054624081 CET	443	49893	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:41.054764986 CET	49893	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:41.058324099 CET	49893	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:41.058336020 CET	443	49893	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:41.058568954 CET	443	49893	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:41.059720039 CET	443	49894	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:41.059797049 CET	49894	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:41.062103033 CET	49894	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:41.062114954 CET	443	49894	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:41.062372923 CET	443	49894	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:41.063955069 CET	49893	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:41.064080000 CET	49893	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:41.064105988 CET	443	49893	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:41.065418959 CET	49894	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:41.065483093 CET	49894	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:41.065577030 CET	443	49894	34.120.208.123	192.168.2.10
Dec 13, 2024 08:56:41.065610886 CET	49893	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:41.065658092 CET	49894	443	192.168.2.10	34.120.208.123
Dec 13, 2024 08:56:41.068628073 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:41.188324928 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:41.383748055 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:41.387155056 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:41.430524111 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:41.506911039 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:41.702714920 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:41.747020006 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:51.397392035 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:51.517134905 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:56:51.713958979 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:56:51.833671093 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:57:01.526593924 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:57:01.646359921 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:57:01.843251944 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:57:01.963555098 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:57:09.617265940 CET	49964	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:57:09.617315054 CET	443	49964	34.107.243.93	192.168.2.10
Dec 13, 2024 08:57:09.617398977 CET	49964	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:57:09.618869066 CET	49964	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:57:09.618901968 CET	443	49964	34.107.243.93	192.168.2.10
Dec 13, 2024 08:57:10.845911026 CET	443	49964	34.107.243.93	192.168.2.10
Dec 13, 2024 08:57:10.846208096 CET	49964	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:57:10.851483107 CET	49964	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:57:10.851516008 CET	443	49964	34.107.243.93	192.168.2.10
Dec 13, 2024 08:57:10.851643085 CET	49964	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:57:10.851699114 CET	443	49964	34.107.243.93	192.168.2.10
Dec 13, 2024 08:57:10.852483988 CET	49964	443	192.168.2.10	34.107.243.93
Dec 13, 2024 08:57:10.854777098 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:57:10.975769997 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:57:11.169778109 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:57:11.173360109 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:57:11.216867924 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:57:11.295768023 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:57:11.491014004 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:57:11.533307076 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:57:21.183089018 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:57:21.303667068 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:57:21.499243975 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:57:21.619070053 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:57:31.312587976 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:57:31.432313919 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:57:31.629106045 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:57:31.749671936 CET	80	49751	34.107.221.82	192.168.2.10
Dec 13, 2024 08:57:41.446295023 CET	49742	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:57:41.569401979 CET	80	49742	34.107.221.82	192.168.2.10
Dec 13, 2024 08:57:41.763004065 CET	49751	80	192.168.2.10	34.107.221.82
Dec 13, 2024 08:57:41.888832092 CET	80	49751	34.107.221.82	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:55:42.115937948 CET	57882	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:42.116873026 CET	62249	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:42.247651100 CET	55704	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:42.257246971 CET	53639	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:42.260859013 CET	53	62249	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:42.261948109 CET	55784	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:42.386495113 CET	53	55704	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:42.390717983 CET	58112	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:42.399092913 CET	53	55784	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:42.399957895 CET	53	53639	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:42.399970055 CET	65524	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:42.402488947 CET	59360	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:42.531256914 CET	53	58112	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:42.536823034 CET	53	65524	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:42.539535999 CET	53	59360	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:42.711962938 CET	58365	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:42.777574062 CET	59560	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:42.852838993 CET	53	58365	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:42.863734961 CET	64857	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:43.001312971 CET	53	64857	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:43.002233028 CET	53449	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:43.017266035 CET	53	59560	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:43.050672054 CET	54349	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:43.050985098 CET	64476	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:43.141357899 CET	53	53449	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:43.187851906 CET	53	54349	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:43.188580990 CET	53791	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:43.189718962 CET	53	64476	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:43.190329075 CET	50758	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:43.326071978 CET	53	53791	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:43.328272104 CET	53	50758	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:43.376219034 CET	63886	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:43.500366926 CET	61145	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:43.501591921 CET	62559	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:43.513834953 CET	53	63886	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:43.517061949 CET	53142	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:43.545900106 CET	54379	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:43.554006100 CET	51798	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:43.650903940 CET	53	62559	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:43.653873920 CET	53	53142	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:43.691885948 CET	53	51798	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:43.722461939 CET	51941	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:43.859451056 CET	53	51941	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:44.377360106 CET	53	58645	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:45.063998938 CET	53719	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:45.139743090 CET	65309	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:45.200843096 CET	53	53719	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:45.202243090 CET	62658	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:45.277287006 CET	53	65309	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:45.283711910 CET	61896	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:45.339368105 CET	53	62658	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:45.340424061 CET	53577	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:45.423134089 CET	53	61896	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:45.477349043 CET	53	53577	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:49.097354889 CET	55637	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:49.235641956 CET	53	55637	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:49.237377882 CET	54291	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:49.374598026 CET	53	54291	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:49.375327110 CET	52933	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:49.513569117 CET	53	52933	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:52.573991060 CET	62857	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:52.711801052 CET	53	62857	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:52.713212967 CET	50297	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:52.850231886 CET	53	50297	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:52.851459980 CET	61716	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:52.988593102 CET	53	61716	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:54.920418024 CET	58127	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:55.057883024 CET	53	58127	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:55.250746965 CET	59100	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:55.389267921 CET	53	59100	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.138290882 CET	55264	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.138441086 CET	59558	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.138569117 CET	51621	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.275343895 CET	53	55264	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.275479078 CET	53	59558	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.276129007 CET	53	51621	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.292135954 CET	63614	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.292191982 CET	57091	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.292519093 CET	61116	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.431050062 CET	53	57091	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.431334972 CET	53	63614	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.435695887 CET	52120	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.435695887 CET	56003	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.503027916 CET	53	61116	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.504000902 CET	54918	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.573040962 CET	53	52120	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.573100090 CET	53	56003	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.573803902 CET	62680	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.573890924 CET	63261	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.711308956 CET	53	62680	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.711338043 CET	53	63261	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.711730957 CET	53	54918	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.712158918 CET	55308	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.712210894 CET	56755	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.849582911 CET	53	56755	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.850394011 CET	52954	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.914279938 CET	53	55308	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:58.914952040 CET	56761	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:55:58.988923073 CET	53	52954	1.1.1.1	192.168.2.10
Dec 13, 2024 08:55:59.130546093 CET	53	56761	1.1.1.1	192.168.2.10
Dec 13, 2024 08:56:06.360586882 CET	62567	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:56:06.497704029 CET	53	62567	1.1.1.1	192.168.2.10
Dec 13, 2024 08:56:08.801175117 CET	59700	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:56:08.821585894 CET	63828	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:56:08.855583906 CET	51403	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:56:08.938133001 CET	53	59700	1.1.1.1	192.168.2.10
Dec 13, 2024 08:56:08.993794918 CET	53	51403	1.1.1.1	192.168.2.10
Dec 13, 2024 08:56:08.995198011 CET	55814	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:56:09.043953896 CET	53	63828	1.1.1.1	192.168.2.10
Dec 13, 2024 08:56:09.045770884 CET	52615	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:56:09.183398008 CET	53	55814	1.1.1.1	192.168.2.10
Dec 13, 2024 08:56:09.183787107 CET	53	52615	1.1.1.1	192.168.2.10
Dec 13, 2024 08:56:09.184240103 CET	59897	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:56:09.184704065 CET	51447	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:56:09.321918011 CET	53	51447	1.1.1.1	192.168.2.10
Dec 13, 2024 08:56:09.322776079 CET	53	59897	1.1.1.1	192.168.2.10
Dec 13, 2024 08:56:28.246661901 CET	54167	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:56:28.384579897 CET	53	54167	1.1.1.1	192.168.2.10
Dec 13, 2024 08:56:28.386060953 CET	53739	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:56:28.523061991 CET	53	53739	1.1.1.1	192.168.2.10
Dec 13, 2024 08:56:39.655338049 CET	51557	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:56:39.792527914 CET	53	51557	1.1.1.1	192.168.2.10
Dec 13, 2024 08:56:41.068914890 CET	57776	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:57:09.617705107 CET	62189	53	192.168.2.10	1.1.1.1
Dec 13, 2024 08:57:09.754878998 CET	53	62189	1.1.1.1	192.168.2.10
Dec 13, 2024 08:57:10.855154037 CET	54529	53	192.168.2.10	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 08:55:42.115937948 CET	192.168.2.10	1.1.1.1	0x22d5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.116873026 CET	192.168.2.10	1.1.1.1	0xa726	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.247651100 CET	192.168.2.10	1.1.1.1	0x72ba	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.257246971 CET	192.168.2.10	1.1.1.1	0xa61	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.261948109 CET	192.168.2.10	1.1.1.1	0x66ab	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.390717983 CET	192.168.2.10	1.1.1.1	0xce5b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 08:55:42.399970055 CET	192.168.2.10	1.1.1.1	0x1423	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 08:55:42.402488947 CET	192.168.2.10	1.1.1.1	0x9b7d	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 08:55:42.711962938 CET	192.168.2.10	1.1.1.1	0x2cf5	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.777574062 CET	192.168.2.10	1.1.1.1	0xd7b3	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.863734961 CET	192.168.2.10	1.1.1.1	0xc18f	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.002233028 CET	192.168.2.10	1.1.1.1	0xb71a	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 08:55:43.050672054 CET	192.168.2.10	1.1.1.1	0xb8a9	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.050985098 CET	192.168.2.10	1.1.1.1	0xd0b3	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.188580990 CET	192.168.2.10	1.1.1.1	0xcaac	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 08:55:43.190329075 CET	192.168.2.10	1.1.1.1	0x922f	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 08:55:43.376219034 CET	192.168.2.10	1.1.1.1	0x291b	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.500366926 CET	192.168.2.10	1.1.1.1	0x6674	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.501591921 CET	192.168.2.10	1.1.1.1	0xa361	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.517061949 CET	192.168.2.10	1.1.1.1	0x411e	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.545900106 CET	192.168.2.10	1.1.1.1	0x2f28	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.554006100 CET	192.168.2.10	1.1.1.1	0x1df7	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.722461939 CET	192.168.2.10	1.1.1.1	0x5a84	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 08:55:45.063998938 CET	192.168.2.10	1.1.1.1	0x3529	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:45.139743090 CET	192.168.2.10	1.1.1.1	0xb4d4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:45.202243090 CET	192.168.2.10	1.1.1.1	0xe542	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:45.283711910 CET	192.168.2.10	1.1.1.1	0x103d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 08:55:45.340424061 CET	192.168.2.10	1.1.1.1	0xd214	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 08:55:49.097354889 CET	192.168.2.10	1.1.1.1	0xdf1d	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:49.237377882 CET	192.168.2.10	1.1.1.1	0xfcf1	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:49.375327110 CET	192.168.2.10	1.1.1.1	0xc6f4	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 08:55:52.573991060 CET	192.168.2.10	1.1.1.1	0xe3f2	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:52.713212967 CET	192.168.2.10	1.1.1.1	0x5fa0	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:52.851459980 CET	192.168.2.10	1.1.1.1	0xaca0	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 08:55:54.920418024 CET	192.168.2.10	1.1.1.1	0x81e1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 08:55:55.250746965 CET	192.168.2.10	1.1.1.1	0xc354	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 08:55:58.138290882 CET	192.168.2.10	1.1.1.1	0x5936	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.138441086 CET	192.168.2.10	1.1.1.1	0x9ed	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.138569117 CET	192.168.2.10	1.1.1.1	0x713b	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.292135954 CET	192.168.2.10	1.1.1.1	0xaaf	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.292191982 CET	192.168.2.10	1.1.1.1	0x2ef5	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.292519093 CET	192.168.2.10	1.1.1.1	0x5fdb	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.435695887 CET	192.168.2.10	1.1.1.1	0xe50a	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 08:55:58.435695887 CET	192.168.2.10	1.1.1.1	0xe25d	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 08:55:58.504000902 CET	192.168.2.10	1.1.1.1	0xd112	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 08:55:58.573803902 CET	192.168.2.10	1.1.1.1	0xe151	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.573890924 CET	192.168.2.10	1.1.1.1	0xecbb	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.712158918 CET	192.168.2.10	1.1.1.1	0xd45a	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.712210894 CET	192.168.2.10	1.1.1.1	0x2709	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.850394011 CET	192.168.2.10	1.1.1.1	0x83b3	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 08:55:58.914952040 CET	192.168.2.10	1.1.1.1	0xaeeb	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 08:56:06.360586882 CET	192.168.2.10	1.1.1.1	0xa03d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 08:56:08.801175117 CET	192.168.2.10	1.1.1.1	0x2d5	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 08:56:08.821585894 CET	192.168.2.10	1.1.1.1	0x286	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:08.855583906 CET	192.168.2.10	1.1.1.1	0x1923	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:08.995198011 CET	192.168.2.10	1.1.1.1	0x34e6	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:09.045770884 CET	192.168.2.10	1.1.1.1	0xbcff	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:09.184240103 CET	192.168.2.10	1.1.1.1	0xbfcd	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 08:56:09.184704065 CET	192.168.2.10	1.1.1.1	0x6d48	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 08:56:28.246661901 CET	192.168.2.10	1.1.1.1	0xccf0	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:28.386060953 CET	192.168.2.10	1.1.1.1	0x5726	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 08:56:39.655338049 CET	192.168.2.10	1.1.1.1	0x1bd1	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 08:56:41.068914890 CET	192.168.2.10	1.1.1.1	0x9295	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:57:09.617705107 CET	192.168.2.10	1.1.1.1	0xe683	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 08:57:10.855154037 CET	192.168.2.10	1.1.1.1	0xa066	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 08:55:42.243865013 CET	1.1.1.1	192.168.2.10	0xc3a5	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.254931927 CET	1.1.1.1	192.168.2.10	0x22d5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:42.254931927 CET	1.1.1.1	192.168.2.10	0x22d5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.260859013 CET	1.1.1.1	192.168.2.10	0xa726	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.386495113 CET	1.1.1.1	192.168.2.10	0x72ba	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.399092913 CET	1.1.1.1	192.168.2.10	0x66ab	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.399957895 CET	1.1.1.1	192.168.2.10	0xa61	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.536823034 CET	1.1.1.1	192.168.2.10	0x1423	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 08:55:42.539535999 CET	1.1.1.1	192.168.2.10	0x9b7d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 08:55:42.852838993 CET	1.1.1.1	192.168.2.10	0x2cf5	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:42.957849979 CET	1.1.1.1	192.168.2.10	0xbfc8	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:42.957849979 CET	1.1.1.1	192.168.2.10	0xbfc8	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.001312971 CET	1.1.1.1	192.168.2.10	0xc18f	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.017266035 CET	1.1.1.1	192.168.2.10	0xd7b3	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:43.017266035 CET	1.1.1.1	192.168.2.10	0xd7b3	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.187851906 CET	1.1.1.1	192.168.2.10	0xb8a9	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.189718962 CET	1.1.1.1	192.168.2.10	0xd0b3	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.513834953 CET	1.1.1.1	192.168.2.10	0x291b	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:43.513834953 CET	1.1.1.1	192.168.2.10	0x291b	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:43.513834953 CET	1.1.1.1	192.168.2.10	0x291b	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.650903940 CET	1.1.1.1	192.168.2.10	0xa361	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.653873920 CET	1.1.1.1	192.168.2.10	0x411e	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.653873920 CET	1.1.1.1	192.168.2.10	0x411e	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.683382034 CET	1.1.1.1	192.168.2.10	0x2f28	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:43.683382034 CET	1.1.1.1	192.168.2.10	0x2f28	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.691885948 CET	1.1.1.1	192.168.2.10	0x1df7	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:43.736148119 CET	1.1.1.1	192.168.2.10	0x6674	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:43.859451056 CET	1.1.1.1	192.168.2.10	0x5a84	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 08:55:45.138597965 CET	1.1.1.1	192.168.2.10	0x1e04	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:45.200843096 CET	1.1.1.1	192.168.2.10	0x3529	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:45.277287006 CET	1.1.1.1	192.168.2.10	0xb4d4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:45.339368105 CET	1.1.1.1	192.168.2.10	0xe542	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:46.919502974 CET	1.1.1.1	192.168.2.10	0x7b1b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:46.919502974 CET	1.1.1.1	192.168.2.10	0x7b1b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:47.109344959 CET	1.1.1.1	192.168.2.10	0x4242	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:49.235641956 CET	1.1.1.1	192.168.2.10	0xdf1d	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:49.235641956 CET	1.1.1.1	192.168.2.10	0xdf1d	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:49.235641956 CET	1.1.1.1	192.168.2.10	0xdf1d	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:49.374598026 CET	1.1.1.1	192.168.2.10	0xfcf1	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:52.711801052 CET	1.1.1.1	192.168.2.10	0xe3f2	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:52.711801052 CET	1.1.1.1	192.168.2.10	0xe3f2	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:52.850231886 CET	1.1.1.1	192.168.2.10	0x5fa0	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275343895 CET	1.1.1.1	192.168.2.10	0x5936	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275343895 CET	1.1.1.1	192.168.2.10	0x5936	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275343895 CET	1.1.1.1	192.168.2.10	0x5936	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275343895 CET	1.1.1.1	192.168.2.10	0x5936	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275343895 CET	1.1.1.1	192.168.2.10	0x5936	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275343895 CET	1.1.1.1	192.168.2.10	0x5936	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275343895 CET	1.1.1.1	192.168.2.10	0x5936	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275343895 CET	1.1.1.1	192.168.2.10	0x5936	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275343895 CET	1.1.1.1	192.168.2.10	0x5936	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275343895 CET	1.1.1.1	192.168.2.10	0x5936	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275343895 CET	1.1.1.1	192.168.2.10	0x5936	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275343895 CET	1.1.1.1	192.168.2.10	0x5936	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275343895 CET	1.1.1.1	192.168.2.10	0x5936	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275479078 CET	1.1.1.1	192.168.2.10	0x9ed	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:58.275479078 CET	1.1.1.1	192.168.2.10	0x9ed	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.276129007 CET	1.1.1.1	192.168.2.10	0x713b	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:58.276129007 CET	1.1.1.1	192.168.2.10	0x713b	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.431050062 CET	1.1.1.1	192.168.2.10	0x2ef5	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.431050062 CET	1.1.1.1	192.168.2.10	0x2ef5	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.431050062 CET	1.1.1.1	192.168.2.10	0x2ef5	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.431050062 CET	1.1.1.1	192.168.2.10	0x2ef5	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.431050062 CET	1.1.1.1	192.168.2.10	0x2ef5	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.431050062 CET	1.1.1.1	192.168.2.10	0x2ef5	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.431050062 CET	1.1.1.1	192.168.2.10	0x2ef5	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.431050062 CET	1.1.1.1	192.168.2.10	0x2ef5	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.431050062 CET	1.1.1.1	192.168.2.10	0x2ef5	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.431050062 CET	1.1.1.1	192.168.2.10	0x2ef5	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.431334972 CET	1.1.1.1	192.168.2.10	0xaaf	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.503027916 CET	1.1.1.1	192.168.2.10	0x5fdb	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.573040962 CET	1.1.1.1	192.168.2.10	0xe50a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 08:55:58.573040962 CET	1.1.1.1	192.168.2.10	0xe50a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 08:55:58.573040962 CET	1.1.1.1	192.168.2.10	0xe50a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 08:55:58.573040962 CET	1.1.1.1	192.168.2.10	0xe50a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 08:55:58.573100090 CET	1.1.1.1	192.168.2.10	0xe25d	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 08:55:58.711308956 CET	1.1.1.1	192.168.2.10	0xe151	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:55:58.711308956 CET	1.1.1.1	192.168.2.10	0xe151	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.711308956 CET	1.1.1.1	192.168.2.10	0xe151	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.711308956 CET	1.1.1.1	192.168.2.10	0xe151	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.711308956 CET	1.1.1.1	192.168.2.10	0xe151	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.711338043 CET	1.1.1.1	192.168.2.10	0xecbb	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.711730957 CET	1.1.1.1	192.168.2.10	0xd112	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 08:55:58.849582911 CET	1.1.1.1	192.168.2.10	0x2709	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.914279938 CET	1.1.1.1	192.168.2.10	0xd45a	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.914279938 CET	1.1.1.1	192.168.2.10	0xd45a	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.914279938 CET	1.1.1.1	192.168.2.10	0xd45a	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:55:58.914279938 CET	1.1.1.1	192.168.2.10	0xd45a	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:08.943758965 CET	1.1.1.1	192.168.2.10	0x6e41	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:56:08.943758965 CET	1.1.1.1	192.168.2.10	0x6e41	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:08.993794918 CET	1.1.1.1	192.168.2.10	0x1923	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:56:08.993794918 CET	1.1.1.1	192.168.2.10	0x1923	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:09.043953896 CET	1.1.1.1	192.168.2.10	0x286	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:09.043953896 CET	1.1.1.1	192.168.2.10	0x286	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:09.043953896 CET	1.1.1.1	192.168.2.10	0x286	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:09.043953896 CET	1.1.1.1	192.168.2.10	0x286	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:09.183398008 CET	1.1.1.1	192.168.2.10	0x34e6	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:09.183787107 CET	1.1.1.1	192.168.2.10	0xbcff	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:09.183787107 CET	1.1.1.1	192.168.2.10	0xbcff	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:09.183787107 CET	1.1.1.1	192.168.2.10	0xbcff	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:09.183787107 CET	1.1.1.1	192.168.2.10	0xbcff	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:09.321918011 CET	1.1.1.1	192.168.2.10	0x6d48	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 08:56:09.321918011 CET	1.1.1.1	192.168.2.10	0x6d48	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 08:56:09.321918011 CET	1.1.1.1	192.168.2.10	0x6d48	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 08:56:09.321918011 CET	1.1.1.1	192.168.2.10	0x6d48	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 08:56:10.416874886 CET	1.1.1.1	192.168.2.10	0x1a00	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:56:10.416874886 CET	1.1.1.1	192.168.2.10	0x1a00	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:12.562735081 CET	1.1.1.1	192.168.2.10	0x2836	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:56:12.562735081 CET	1.1.1.1	192.168.2.10	0x2836	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:56:28.384579897 CET	1.1.1.1	192.168.2.10	0xccf0	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:39.653110981 CET	1.1.1.1	192.168.2.10	0x9f9e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:56:41.206247091 CET	1.1.1.1	192.168.2.10	0x9295	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:56:41.206247091 CET	1.1.1.1	192.168.2.10	0x9295	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:57:10.993357897 CET	1.1.1.1	192.168.2.10	0xa066	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:57:10.993357897 CET	1.1.1.1	192.168.2.10	0xa066	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49727	34.107.221.82	80	5668	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:55:42.413381100 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:55:43.498761892 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74281 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49739	34.107.221.82	80	5668	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:55:43.828079939 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:55:44.913100958 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 62284 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49742	34.107.221.82	80	5668	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:55:44.848090887 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:55:45.933850050 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74283 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:55:46.675106049 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:55:46.989610910 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74284 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:55:49.645236015 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:55:49.959518909 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74287 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:55:52.573571920 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:55:52.888129950 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74290 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:55:55.224023104 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:55:55.538642883 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74293 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:55:57.522939920 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:55:57.837522030 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74295 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:56:00.148925066 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:56:00.463340044 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74298 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:56:01.414521933 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:56:01.729438066 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74299 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:56:07.582029104 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:56:07.896517038 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74305 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:56:10.047111034 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:56:10.361589909 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74308 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:56:11.454350948 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:56:11.768534899 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74309 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:56:21.775255919 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 08:56:26.900121927 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:56:27.215964079 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74325 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:56:29.604183912 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:56:29.918744087 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74327 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:56:39.926002026 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 08:56:41.068628073 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:56:41.383748055 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74339 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:56:51.397392035 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 08:57:01.526593924 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 08:57:10.854777098 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 08:57:11.169778109 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 74369 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 08:57:21.183089018 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 08:57:31.312587976 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 08:57:41.446295023 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49751	34.107.221.82	80	5668	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:55:46.412319899 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:55:47.498537064 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78439 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:55:49.328300953 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:55:49.642935991 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78441 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:55:52.422425985 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:55:52.737297058 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78444 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:55:54.044599056 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:55:54.359592915 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78446 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:55:56.340822935 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:55:56.657196045 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78448 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:55:57.286911011 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78448 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:55:58.171693087 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:55:58.486531973 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78450 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:56:00.592945099 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:56:00.907747984 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78452 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:56:01.735730886 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:56:02.050509930 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78453 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:56:07.900407076 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:56:08.215395927 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78460 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:56:10.365341902 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:56:10.680279970 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78462 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:56:11.772361040 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:56:12.087446928 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78463 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:56:22.091691971 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 08:56:27.219058037 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:56:27.534285069 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78479 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:56:29.922836065 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:56:30.237525940 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78482 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:56:40.242516994 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 08:56:41.387155056 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:56:41.702714920 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78493 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:56:51.713958979 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 08:57:01.843251944 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 08:57:11.173360109 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 08:57:11.491014004 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 78523 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 08:57:21.499243975 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 08:57:31.629106045 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 08:57:41.763004065 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	02:55:30
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x1b0000
File size:	972'288 bytes
MD5 hash:	0477F6F0FFA9D220785C139059AE2073
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:55:31
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x730000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:55:31
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:55:33
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x730000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:55:33
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:55:33
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x730000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:55:33
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:55:34
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x730000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:55:34
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:55:34
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x730000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:55:34
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:55:34
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff613480000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:55:35
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff613480000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:55:35
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff613480000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	02:55:37
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25358 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c88cb1df-c4c7-48fc-8cea-8a402398f5b9} 5668 "\\.\pipe\gecko-crash-server-pipe.5668" 273fd16e710 socket
Imagebase:	0x7ff613480000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	02:55:39
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4200 -parentBuildID 20230927232528 -prefsHandle 3940 -prefMapHandle 4192 -prefsLen 26308 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07ec12a2-6adc-446b-8620-3205216fb253} 5668 "\\.\pipe\gecko-crash-server-pipe.5668" 273fd183610 rdd
Imagebase:	0x7ff613480000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	02:55:51
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5072 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5064 -prefMapHandle 5060 -prefsLen 33184 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31127174-00d4-4db6-aba6-974133e70ee5} 5668 "\\.\pipe\gecko-crash-server-pipe.5668" 2738eb48f10 utility
Imagebase:	0x7ff613480000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.4%
Total number of Nodes:	1743
Total number of Limit Nodes:	63

Executed Functions

Function 001B42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 001B430D

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

GetCurrentProcess.KERNEL32(?,0024CB64,00000000,?,?), ref: 001B4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 001B4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 001B4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 001B4466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 001B4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 001B447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001B44A0

Strings

|O, xrefs: 001F36F8
GetNativeSystemInfo, xrefs: 001B4460
kernel32.dll, xrefs: 001B444F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8d766ff88b6d0042c5b5c38c477f7786895a2816c4c8936103c2a41eae0601a6
Instruction ID: 524569ce8276a89d717a8da2eb5a768e01bc9445743ce9ed336db6339c0e0cbd
Opcode Fuzzy Hash: 8d766ff88b6d0042c5b5c38c477f7786895a2816c4c8936103c2a41eae0601a6
Instruction Fuzzy Hash: 71A1C27E90B2C4DFD716D7697C4C1E57FAC6B26700B1888D9E08193AE2D36046BACB21

Function 001B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001B50AA,?,?,00000000,00000000), ref: 001B42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001B50AA,?,?,00000000,00000000), ref: 001B42C9
LoadResource.KERNEL32(?,00000000,?,?,001B50AA,?,?,00000000,00000000,?,?,?,?,?,?,001B4F20), ref: 001F35BE
SizeofResource.KERNEL32(?,00000000,?,?,001B50AA,?,?,00000000,00000000,?,?,?,?,?,?,001B4F20), ref: 001F35D3
LockResource.KERNEL32(001B50AA,?,?,001B50AA,?,?,00000000,00000000,?,?,?,?,?,?,001B4F20,?), ref: 001F35E6

Strings

SCRIPT, xrefs: 001B42BF

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f85d7d4d29fa496dc5ba01fa0ccefb8dca819da64075606be29e2e23df2fa252
Instruction ID: 3a9a11cf81ed2eab188322265b095dda74e450a61fd55254feae298d7d7d2032
Opcode Fuzzy Hash: f85d7d4d29fa496dc5ba01fa0ccefb8dca819da64075606be29e2e23df2fa252
Instruction Fuzzy Hash: C4118274201700BFD7258FA9EC49F677BB9EBC6B51F248169F842D6160DBB1DC009620

Function 001F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 001B2B6B

Part of subcall function 001B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00281418,?,001B2E7F,?,?,?,00000000), ref: 001B3A78

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00272224), ref: 001F2C10
ShellExecuteW.SHELL32(00000000,?,?,00272224), ref: 001F2C17

Strings

runas, xrefs: 001F2C0B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 84065eed466d53cdb4cae0ea9f9563775d1cf3e1711908c57cb9a4de28ca4a83
Instruction ID: de60f798db2fb1d1ec8bbf0e69f2d08d6f54f2211f67e2f3674515e26f365ec1
Opcode Fuzzy Hash: 84065eed466d53cdb4cae0ea9f9563775d1cf3e1711908c57cb9a4de28ca4a83
Instruction Fuzzy Hash: FE11B131209305AAC714FF64E895DFEBBA8ABB2300F54142DF596560E2CF318A6A8712

Function 0021D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0021D501
Process32FirstW.KERNEL32(00000000,?), ref: 0021D50F
Process32NextW.KERNEL32(00000000,?), ref: 0021D52F
CloseHandle.KERNEL32(00000000), ref: 0021D5DC

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f364977258936767083612c2c66ea942d0d3d1d2adfada4f7df20da2137453b6
Instruction ID: f3d95033c08275b875be3522dff81da960616553ae04f2c90c3ef9f1a92a3257
Opcode Fuzzy Hash: f364977258936767083612c2c66ea942d0d3d1d2adfada4f7df20da2137453b6
Instruction Fuzzy Hash: BA31E271108301EFD300EF54D885AEFBBF8EFA9344F50082DF586861A1EB719985CB92

Function 0021DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,001F5222), ref: 0021DBCE
GetFileAttributesW.KERNEL32(?), ref: 0021DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0021DBEE
FindClose.KERNEL32(00000000), ref: 0021DBFA

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 29f31cf3e1b9d06e31ec8c0f9c1806b2971d8c4c5d96ac830b1aa038fa7b1687
Instruction ID: 576fcd58ebdb33d531190b5be4f34183334bed27a4c9dc3e412c079cfd87220e
Opcode Fuzzy Hash: 29f31cf3e1b9d06e31ec8c0f9c1806b2971d8c4c5d96ac830b1aa038fa7b1687
Instruction Fuzzy Hash: 3BF0EC34421910978220AF7CBC0D4EA37AC9E02334B604B03F935C10F0EBF05DA4C9D5

Function 0020D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0020D220

Strings

%.3d, xrefs: 0020D22B
X64, xrefs: 0020D2A8

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: dc2dd836c5533433e3dffb4b9664a5b0bf97ae191c0e99d27efa821645571c36
Instruction ID: c3a8246ddff8426f00d8fdaeecbe3cf87b4ff57f1154181441572c2c08c16e21
Opcode Fuzzy Hash: dc2dd836c5533433e3dffb4b9664a5b0bf97ae191c0e99d27efa821645571c36
Instruction Fuzzy Hash: 1DD0126582A318EECB9096D4DC49DBAB37CAB19301F608466FC0A91083D7B4D5286B61

Function 001D4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001E28E9,?,001D4CBE,001E28E9,002788B8,0000000C,001D4E15,001E28E9,00000002,00000000,?,001E28E9), ref: 001D4D09
TerminateProcess.KERNEL32(00000000,?,001D4CBE,001E28E9,002788B8,0000000C,001D4E15,001E28E9,00000002,00000000,?,001E28E9), ref: 001D4D10
ExitProcess.KERNEL32 ref: 001D4D22

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c36f2d6b120b38d213d1acafba6f184d8fe4ece84404f894007e6d031bef2f28
Instruction ID: 0d783a1920e577d43d6469f19afd5774ac9244bd93095aa0e77d204f736b8e28
Opcode Fuzzy Hash: c36f2d6b120b38d213d1acafba6f184d8fe4ece84404f894007e6d031bef2f28
Instruction Fuzzy Hash: ECE0BF35001548ABCF616F54ED0DA583F6AEB56741B144055FC198B222CB35DD41CA40

Function 0020D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0020D28C

Strings

X64, xrefs: 0020D2A8

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7a36532c2d3feb4d31230de9e097260555bb44087e961bcfd008ff5a111b7fde
Instruction ID: de46422c3a33dccf8e414d6d7ad673ba10ba5be99bb311ba423d4327293358d5
Opcode Fuzzy Hash: 7a36532c2d3feb4d31230de9e097260555bb44087e961bcfd008ff5a111b7fde
Instruction Fuzzy Hash: 05D0C9B481211DEFCB94CB94EC88DDAB37CBB14305F100165F506A2040DB7095488F10

Function 001BBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#(, xrefs: 002007CE

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#(
API String ID: 3964851224-548171481
Opcode ID: 305762f4a1f5378f8287e60fbed59854f5a8a43f002c36fc016459c998f1c4c1
Instruction ID: 5e79702416a3ca3648863f67daa116f8886697b259a2d910f1874b91c6af14dd
Opcode Fuzzy Hash: 305762f4a1f5378f8287e60fbed59854f5a8a43f002c36fc016459c998f1c4c1
Instruction Fuzzy Hash: D9A259706083019FD724DF18C480BAABBE1BF99304F15896DF99A8B392D771EC55CB92

Function 0023AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0023B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0023B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0023B1D4
_wcslen.LIBCMT ref: 0023B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0023B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0023B236
_wcslen.LIBCMT ref: 0023B332

Part of subcall function 002205A7: GetStdHandle.KERNEL32(000000F6), ref: 002205C6

_wcslen.LIBCMT ref: 0023B34B
_wcslen.LIBCMT ref: 0023B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0023B3B6
GetLastError.KERNEL32(00000000), ref: 0023B407
CloseHandle.KERNEL32(?), ref: 0023B439
CloseHandle.KERNEL32(00000000), ref: 0023B44A
CloseHandle.KERNEL32(00000000), ref: 0023B45C
CloseHandle.KERNEL32(00000000), ref: 0023B46E
CloseHandle.KERNEL32(?), ref: 0023B4E3

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 31c0e632357f28e759776008a230dbc05b9a1bb618c1de4b5b1e16a1a1660d21
Instruction ID: bd1aeeb94db032d0e2f35e92cfc24bfa81c9a3411806bbda684a70d22ce380f0
Opcode Fuzzy Hash: 31c0e632357f28e759776008a230dbc05b9a1bb618c1de4b5b1e16a1a1660d21
Instruction Fuzzy Hash: 22F1CC716183019FC725EF24C891B6FBBE5AF85310F14855DF99A8B2A2CB31EC50CB52

Function 001BD730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001BD807
timeGetTime.WINMM ref: 001BDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001BDB28
TranslateMessage.USER32(?), ref: 001BDB7B
DispatchMessageW.USER32(?), ref: 001BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001BDB9F
Sleep.KERNEL32(0000000A), ref: 001BDBB1

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 375cddef3e66c4e8cd847433bf8c3ef730fdc9a803725febbe98b47a0d9cca0b
Instruction ID: 11492c1fd20e5d959990bb5cd1976ccd596b84d63b1cb2c41f5180c90b812d3b
Opcode Fuzzy Hash: 375cddef3e66c4e8cd847433bf8c3ef730fdc9a803725febbe98b47a0d9cca0b
Instruction Fuzzy Hash: 6442F330614342DFD72DCF24D888BAAB7E4BF56304F54455EE45A872D2E770E868CB92

Function 001B2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001B2D07
RegisterClassExW.USER32(00000030), ref: 001B2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001B2D42
InitCommonControlsEx.COMCTL32(?), ref: 001B2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001B2D6F
LoadIconW.USER32(000000A9), ref: 001B2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001B2D94

Strings

TaskbarCreated, xrefs: 001B2D37
+, xrefs: 001B2CF0
0, xrefs: 001B2CE9
AutoIt v3 GUI, xrefs: 001B2D23

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d2376ba5347e9f04a79b08fd7dc6f602a89ee6e327346ad0989f78a2ab316dc7
Instruction ID: 973a16e353253d903468ea12830cec0afd082f472d4a088b7facc8794b54d650
Opcode Fuzzy Hash: d2376ba5347e9f04a79b08fd7dc6f602a89ee6e327346ad0989f78a2ab316dc7
Instruction Fuzzy Hash: B421E3B9952318AFDB40DFA8E84DBDDBBB8FB09700F10411AF511A62A0D7B14551CF90

Function 001F065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001F039A: CreateFileW.KERNEL32(00000000,00000000,?,001F0704,?,?,00000000,?,001F0704,00000000,0000000C), ref: 001F03B7

GetLastError.KERNEL32 ref: 001F076F
__dosmaperr.LIBCMT ref: 001F0776
GetFileType.KERNEL32(00000000), ref: 001F0782
GetLastError.KERNEL32 ref: 001F078C
__dosmaperr.LIBCMT ref: 001F0795
CloseHandle.KERNEL32(00000000), ref: 001F07B5
CloseHandle.KERNEL32(?), ref: 001F08FF
GetLastError.KERNEL32 ref: 001F0931
__dosmaperr.LIBCMT ref: 001F0938

Strings

H, xrefs: 001F08BD

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 62bc8268af0378e007c5fb49056a346569ed1acfbca8aa20e55ac016dff191e9
Instruction ID: 3302e00ee84afa6a936527ba9f62544986d9bac06ee8c2cc9c6fe6f3270bbad3
Opcode Fuzzy Hash: 62bc8268af0378e007c5fb49056a346569ed1acfbca8aa20e55ac016dff191e9
Instruction Fuzzy Hash: 3BA14736A001088FDF1AAF68DC95BBE7BA0AB1A324F14415DF915DF392DB319D12CB91

Function 001B344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00281418,?,001B2E7F,?,?,?,00000000), ref: 001B3A78

Part of subcall function 001B3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001B3379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001B356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001F318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001F31CE
RegCloseKey.ADVAPI32(?), ref: 001F3210
_wcslen.LIBCMT ref: 001F3277
_wcslen.LIBCMT ref: 001F3286

Strings

\, xrefs: 001F328C
Include, xrefs: 001F3184, 001F31C5
\Include\, xrefs: 001B3527
Software\AutoIt v3\AutoIt, xrefs: 001B3560

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: f76b4e2e0803a30b92eb96ad4dd601da0e9f64c6b90f4a1cff13b78af4b42f4f
Instruction ID: a45a7be0ec885fad6e1d6e0c68c17469f29748cc2700fbe9b1134b5c08a874db
Opcode Fuzzy Hash: f76b4e2e0803a30b92eb96ad4dd601da0e9f64c6b90f4a1cff13b78af4b42f4f
Instruction Fuzzy Hash: E371BF75406304DFC314EF69EC959ABBBE8FFA5740F50082EF555971A0EB309A48CB62

Function 001B2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001B2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 001B2B9D
LoadIconW.USER32(00000063), ref: 001B2BB3
LoadIconW.USER32(000000A4), ref: 001B2BC5
LoadIconW.USER32(000000A2), ref: 001B2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001B2BEF
RegisterClassExW.USER32(?), ref: 001B2C40

Part of subcall function 001B2CD4: GetSysColorBrush.USER32(0000000F), ref: 001B2D07
Part of subcall function 001B2CD4: RegisterClassExW.USER32(00000030), ref: 001B2D31
Part of subcall function 001B2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001B2D42
Part of subcall function 001B2CD4: InitCommonControlsEx.COMCTL32(?), ref: 001B2D5F
Part of subcall function 001B2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001B2D6F
Part of subcall function 001B2CD4: LoadIconW.USER32(000000A9), ref: 001B2D85
Part of subcall function 001B2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001B2D94

Strings

AutoIt v3, xrefs: 001B2C2F
#, xrefs: 001B2C16
0, xrefs: 001B2C0F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 45dd1bc6f65b7114d942beff89e41caa79dd2d40e3099b8aaa50cf632e39f399
Instruction ID: 841da6b1c6c0882e1020c8dc51be992ce4366838db892c2733a5ec4acb1d785b
Opcode Fuzzy Hash: 45dd1bc6f65b7114d942beff89e41caa79dd2d40e3099b8aaa50cf632e39f399
Instruction Fuzzy Hash: 74212C78E52314ABDB109FA9FC5DAEDBFB8FB48B50F14009AE500A66E0D7B10561CF90

Function 001BB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001BBB4E

Strings

p%(, xrefs: 001BBB32
x#(, xrefs: 00200207
p#(, xrefs: 0020024F
p#(, xrefs: 001BBB6B
p#(, xrefs: 001BBA72
x#(, xrefs: 00200168
p#(, xrefs: 00200263
p%(, xrefs: 001BB8DC

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#($p#($p#($p#($p%($p%($x#($x#(
API String ID: 1385522511-1050141907
Opcode ID: 93f6a08e9aca4604277b13488c643d632fea2ac27fdc72604bbe7abbfa17f741
Instruction ID: f3a377fd3a8ea064c4a8ac0e79b350c864e6896727a9b6d2eda14e35376fe7d3
Opcode Fuzzy Hash: 93f6a08e9aca4604277b13488c643d632fea2ac27fdc72604bbe7abbfa17f741
Instruction Fuzzy Hash: C232BC74A0820ADFEB24CF54C8D4BBEB7B5EF44304F158099E905AB6A2C7B4ED51CB91

Function 001B3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,001B316A,?,?), ref: 001B31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,001B316A,?,?), ref: 001B3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001B3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,001B316A,?,?), ref: 001B3232
CreatePopupMenu.USER32 ref: 001B3246
PostQuitMessage.USER32(00000000), ref: 001B3267

Strings

TaskbarCreated, xrefs: 001B322D

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: ed6d5cbc4b4d5f736ab1c3ee19a9201bc4066124f700d73732475d90969f34af
Instruction ID: b4d50b6bcd27406de9c64334947c4055c3e450ee4d127e2a675cb60570ea71c1
Opcode Fuzzy Hash: ed6d5cbc4b4d5f736ab1c3ee19a9201bc4066124f700d73732475d90969f34af
Instruction Fuzzy Hash: 75414B3D251208ABDB193B7CEC1EBF93A5DEB06340F140165F622862E2CB718E7197A1

Function 001BDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 002032B7
D%(, xrefs: 00202FDA
D%(D%(, xrefs: 001BE27E
D%(, xrefs: 0020302D
D%(, xrefs: 001BE1E0
D%(, xrefs: 001BE4B1

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: D%($D%($D%($D%($D%(D%($Variable must be of type 'Object'.
API String ID: 0-1394618807
Opcode ID: 771a47f599d642a4345beac67187470543e9eb12ee9162de1cdd006d652a96a9
Instruction ID: 417bf578d6e7e51fd75a36f19f031e48cd97fdd7e12fb392462710c9dcfe02b2
Opcode Fuzzy Hash: 771a47f599d642a4345beac67187470543e9eb12ee9162de1cdd006d652a96a9
Instruction Fuzzy Hash: 8EC27775A00215CFCB24CFA8C884AEDB7F5BF18310F258569E906AB3A2D375ED51CB91

Function 001BEC40 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001BFE66

Strings

D%(, xrefs: 001BF36A
D%(, xrefs: 00204972
D%(D%(, xrefs: 001BF05B
D%(, xrefs: 0020491E
D%(, xrefs: 001BEFB7

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%($D%($D%($D%($D%(D%(
API String ID: 1385522511-2743762833
Opcode ID: f2c48896d9aecdd0cbf40790df13a6914a6f5b108d9defd6fc6bc1e6039f5cc7
Instruction ID: dfd96ad273c1e830e1af4c4e32a9cb5cba2094d946f3b091186d93b190b948d0
Opcode Fuzzy Hash: f2c48896d9aecdd0cbf40790df13a6914a6f5b108d9defd6fc6bc1e6039f5cc7
Instruction Fuzzy Hash: 86B28D74604301CFDB28DF18C890AAAB7E1BF99300F25886DF9859B391D771ED56CB92

Function 001B1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001B1459
CoUninitialize.COMBASE ref: 001B14F8
UnregisterHotKey.USER32(?), ref: 001B16DD
DestroyWindow.USER32(?), ref: 001F24B9
FreeLibrary.KERNEL32(?), ref: 001F251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 001F254B

Strings

close all, xrefs: 001B1454

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2c08c0e3849073ef99ba39042541a96819c2754a1d99b427385a2734defdae63
Instruction ID: 8883049036fbc8309f13945ae12545ca68baa6f31189f095460cd1ef3d962802
Opcode Fuzzy Hash: 2c08c0e3849073ef99ba39042541a96819c2754a1d99b427385a2734defdae63
Instruction Fuzzy Hash: A1D17E31702212DFCB29EF54D4A9AB9F7A1BF15710F6641ADE94A6B261CB30EC12CF50

Function 0021DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 0021DE42
gethostname.WS2_32(?,00000100), ref: 0021DE5C
gethostbyname.WS2_32(?), ref: 0021DE69
inet_ntoa.WSOCK32(?), ref: 0021DEAB
_strcat.LIBCMT ref: 0021DEB9
WSACleanup.WSOCK32 ref: 0021DEDE

Strings

0.0.0.0, xrefs: 0021DE87

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: b13bae47b0d4ee78a14fe7af7cc14a58c78c56cae6547fcda6932e9f2f3327d7
Instruction ID: 67b7200d350a69a6b89bee2d6ce9c31e78d3c2f126fc02f3f95df33378d3a87b
Opcode Fuzzy Hash: b13bae47b0d4ee78a14fe7af7cc14a58c78c56cae6547fcda6932e9f2f3327d7
Instruction Fuzzy Hash: 42113631914105EFDB24AF74EC4AEEE77ECDF35315F10016AF4059A191EF758AD18A50

Function 001B2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001B2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001B2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,001B1CAD,?), ref: 001B2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,001B1CAD,?), ref: 001B2CCF

Strings

edit, xrefs: 001B2CAC
AutoIt v3, xrefs: 001B2C89, 001B2C8E, 001B2C8F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 32814bab34c398bf60fcd75ae8d4640f1bf802855e1e689e44b8a90acfe66f18
Instruction ID: 268ddf577bb52f8a974862ee3126de70fac8b00f50c8520c9d1de679da4bfffd
Opcode Fuzzy Hash: 32814bab34c398bf60fcd75ae8d4640f1bf802855e1e689e44b8a90acfe66f18
Instruction Fuzzy Hash: C3F0DA795423907AEB711717BC0CEB76EBDD7C7F50B10009AF900A65A0C6751862DBB0

Function 0020D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0020D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0020D3BF
FreeLibrary.KERNEL32(00000000), ref: 0020D3E5

Strings

X64, xrefs: 0020D2A8
GetSystemWow64DirectoryW, xrefs: 0020D3B9

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 973e256d03a2dd8907cbe9494a85a9d0a4ad97a3cd98bcaac67ea974cc36c2e9
Instruction ID: d7c53018a172517d75603c45464b314ab198bb219e8147094b1b60c70f17e64c
Opcode Fuzzy Hash: 973e256d03a2dd8907cbe9494a85a9d0a4ad97a3cd98bcaac67ea974cc36c2e9
Instruction Fuzzy Hash: 9EF05C75837712EFD3741B544C08A5977149F11B01B608498F809E10C7CB60CD708F92

Function 001B3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,001B3B0F,SwapMouseButtons,00000004,?), ref: 001B3B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,001B3B0F,SwapMouseButtons,00000004,?), ref: 001B3B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,001B3B0F,SwapMouseButtons,00000004,?), ref: 001B3B83

Strings

Control Panel\Mouse, xrefs: 001B3B3E

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: cd0141d1449df21c84124a458138b3a5dfdea3b76c8214a31693632916b2178e
Instruction ID: 6f732181f3601c382de545c58f7335ebb383cd6868d2b0b47a0e0caf1dbabad7
Opcode Fuzzy Hash: cd0141d1449df21c84124a458138b3a5dfdea3b76c8214a31693632916b2178e
Instruction Fuzzy Hash: EF115AB5511208FFDB218FA8DD48AEEB7B8EF01740B104559E811D7214D7319E509760

Function 001B3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001F33A2

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 001B3A04

Strings

Line: , xrefs: 001F33EB

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 45ed2bdae59797ab995344573a87d62b9508ac0adcb96fe8667433b2329cab56
Instruction ID: 9807515e4e08af4319d017a5c917b2cd95888d743cad55d739f16dda5799e1a2
Opcode Fuzzy Hash: 45ed2bdae59797ab995344573a87d62b9508ac0adcb96fe8667433b2329cab56
Instruction Fuzzy Hash: C831F271409304ABC325EB20EC49BEBB7ECAF61314F10456EF5A9831D1EB749A69C7C2

Function 001B2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 001F2C8C

Part of subcall function 001B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B3A97,?,?,001B2E7F,?,?,?,00000000), ref: 001B3AC2

Part of subcall function 001B2DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 001B2DC4

Strings

`e', xrefs: 001F2C85
X, xrefs: 001F2C5A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e'
API String ID: 779396738-340175575
Opcode ID: c35a5b0bed86640a8873bf5a2bf1ffab3f8ac679b995f086b28b7d548ba6bffa
Instruction ID: e42c799af479335b603a131c6198ce7483136c85d5eac2b22478c7737f71c61c
Opcode Fuzzy Hash: c35a5b0bed86640a8873bf5a2bf1ffab3f8ac679b995f086b28b7d548ba6bffa
Instruction Fuzzy Hash: 0821A571A1025C9FCB01DF94C849BEE7BFCAF59304F008059E519A7241DBB89A5D8F61

Function 001CFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 001D0668

Part of subcall function 001D32A4: RaiseException.KERNEL32(?,?,?,001D068A,?,00281444,?,?,?,?,?,?,001D068A,001B1129,00278738,001B1129), ref: 001D3304

__CxxThrowException@8.LIBVCRUNTIME ref: 001D0685

Strings

Unknown exception, xrefs: 001D0692

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 43235e2bea3d1d6b4d2e321ab8e4c7c11d6611229da4418c814fee7a0e4bb73c
Instruction ID: 6215c68bc32ad97623afc7fc0d517c6d5754095963f00c3fb350946c81db9c25
Opcode Fuzzy Hash: 43235e2bea3d1d6b4d2e321ab8e4c7c11d6611229da4418c814fee7a0e4bb73c
Instruction Fuzzy Hash: 57F0F63490020DB7CB05BAB4EC4AEAE7B6D5E64350F60413BB828D67D1EF71EA26C5C1

Function 001B10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001B1BF4
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 001B1BFC
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001B1C07
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001B1C12
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 001B1C1A
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 001B1C22

Part of subcall function 001B1B4A: RegisterWindowMessageW.USER32(00000004,?,001B12C4), ref: 001B1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001B136A
OleInitialize.OLE32 ref: 001B1388
CloseHandle.KERNEL32(00000000,00000000), ref: 001F24AB

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4df8ea0af545521ea9234b16f6edb464952ee91c0a796ebd4731d58399b36987
Instruction ID: 1dbd40e83b46311920a30bb217daf3c59ec05a9802fd6cacb4861ce22df11b2b
Opcode Fuzzy Hash: 4df8ea0af545521ea9234b16f6edb464952ee91c0a796ebd4731d58399b36987
Instruction Fuzzy Hash: B5718DBC9132009ED384EF79F95D6A53AEDBB98344794812AD40AC72E2EB384432CF45

Function 0021C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 001B3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0021C259
KillTimer.USER32(?,00000001,?,?), ref: 0021C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0021C270

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 8a3a5f76e2ea46f8c035390736c1d0192db81fb8f8423fe63f8f71f0841071ac
Instruction ID: c482d02c5114aee2182cca546791d1dbc1523c5d16f39069743c6e13f6f04271
Opcode Fuzzy Hash: 8a3a5f76e2ea46f8c035390736c1d0192db81fb8f8423fe63f8f71f0841071ac
Instruction Fuzzy Hash: E331E378950344AFEB328F649859BEBBBECAB26308F20009AD5DA93241C3745AC4CB51

Function 001E86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,001E85CC,?,00278CC8,0000000C), ref: 001E8704
GetLastError.KERNEL32(?,001E85CC,?,00278CC8,0000000C), ref: 001E870E
__dosmaperr.LIBCMT ref: 001E8739

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: fd9cdd35dc335498a6f00907d6a1d8a3ed0b496ee66a7ed268a701b4e587e7f4
Instruction ID: 8b37cb8bc416f8f76f87e9ef8085235314e4755dc3bcccbfab11d77dba6d87d9
Opcode Fuzzy Hash: fd9cdd35dc335498a6f00907d6a1d8a3ed0b496ee66a7ed268a701b4e587e7f4
Instruction Fuzzy Hash: 0B016B32A05EE016C3686637684977E6B4A4BA6778F390119F81C8B1D2DFA0CCC18250

Function 001BDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 001BDB7B
DispatchMessageW.USER32(?), ref: 001BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001BDB9F
Sleep.KERNEL32(0000000A), ref: 001BDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00201CC9

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 69a578d07ce60a749ae7e721ca027ae4e513bbcdedcec2d7a01711c4303a31b5
Instruction ID: b2a5d958c6d871907c660f2936314490619bcb1cee489b6b44bb59d26a39c27a
Opcode Fuzzy Hash: 69a578d07ce60a749ae7e721ca027ae4e513bbcdedcec2d7a01711c4303a31b5
Instruction Fuzzy Hash: 6FF05E306453419BFB74CBA4AC49FEA73ACEB46310F504619E60A930C0EB30A458CB26

Function 001C1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001C17F6

Strings

CALL, xrefs: 001C17C6

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 91683b4d676fc3ea241808d5fc6a9a6ad44a2c3dcdcd64b13d5e69e16c663a2c
Instruction ID: b2afa95bcda0ec1600bedb70943a258328c176df4924967b4fc16fb42901d766
Opcode Fuzzy Hash: 91683b4d676fc3ea241808d5fc6a9a6ad44a2c3dcdcd64b13d5e69e16c663a2c
Instruction Fuzzy Hash: 8C227A70648301AFC714DF14C484F2ABBF1BFAA314F64895DF4968B2A2D771E865CB92

Function 001C01E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae79868ba2a7de2432ac55ed1a6b0533f04c6995615856b2823e3d029a463ccf
Instruction ID: 35b2ccd6e83937c70f3ae85c761cc5905ea2ca9ca3cf81fe263c5b0415f40f8c
Opcode Fuzzy Hash: ae79868ba2a7de2432ac55ed1a6b0533f04c6995615856b2823e3d029a463ccf
Instruction Fuzzy Hash: D532CB30A00615DFCB25DF94C885FAEB7B5AF28310F14856DE916AB2A2D731ED50CF91

Function 0020D363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 0020D375

Strings

X64, xrefs: 0020D2A8

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: 99355eaa6d942f4dab8560aed00591251ce19678aa540219ce037a196b5e261b
Instruction ID: fb56f9c380e24593236c388fac9adb79de65c1a159ab027a0617df6ef6ceaa40
Opcode Fuzzy Hash: 99355eaa6d942f4dab8560aed00591251ce19678aa540219ce037a196b5e261b
Instruction Fuzzy Hash: FCD0C9B5826218EFCB94CB84EC88DDAB77CBB14311F604195F402A2042DB7095589F10

Function 001B3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 001B3908

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 1c31bc729c184fa6c167ba55eacc6a8fc49879b978328f7b6461d72a6f26848c
Instruction ID: a00b0112112e6ed94426c249cda1fa5d2c667ba390e88a51add9c22bf72b2257
Opcode Fuzzy Hash: 1c31bc729c184fa6c167ba55eacc6a8fc49879b978328f7b6461d72a6f26848c
Instruction Fuzzy Hash: 5F31B474505701DFD721DF24E8887D7BBE8FB49708F00096EF6A983280E771AA55CB52

Function 001CF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001CF661

Part of subcall function 001BD730: GetInputState.USER32 ref: 001BD807

Sleep.KERNEL32(00000000), ref: 0020F2DE

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 2991abc74b9d0bc038a050ca70eb66e781d0ec8191003f592272e9d8b2882e63
Instruction ID: c01b6569fb72651a0d3004000640672f12a071c05a84e820953852868d8e9a11
Opcode Fuzzy Hash: 2991abc74b9d0bc038a050ca70eb66e781d0ec8191003f592272e9d8b2882e63
Instruction Fuzzy Hash: E1F08C352446059FD364EF69E449BAAB7E8EF56760F00002AF85EC76A1DBB0A800CB91

Function 001B4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001B4EDD,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E9C
Part of subcall function 001B4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001B4EAE
Part of subcall function 001B4E90: FreeLibrary.KERNEL32(00000000,?,?,001B4EDD,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4EFD

Part of subcall function 001B4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001F3CDE,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E62
Part of subcall function 001B4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001B4E74
Part of subcall function 001B4E59: FreeLibrary.KERNEL32(00000000,?,?,001F3CDE,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E87

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 6ac5b42282518a2dfe31bbbeb36eb788065e2f35bd00a69c74c79f15cf182af9
Instruction ID: 0aef5d68697774a2ce8c5a3c46a2fa1488c2e5f5005084603436b5b30109dbcf
Opcode Fuzzy Hash: 6ac5b42282518a2dfe31bbbeb36eb788065e2f35bd00a69c74c79f15cf182af9
Instruction Fuzzy Hash: 1D11C432610205ABDB14FB68DC42BED77A59F60710F20842EF542A71C2EF74DA459B50

Function 001E8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 001E8440

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 87beb952f35318f489a6f392ad75e9bfd3cb39f74f09205c356b9363ea11c30c
Instruction ID: eafc608a8a0105a19c7ab2d5ca145ce442184f1799415df148d92dc358f3d465
Opcode Fuzzy Hash: 87beb952f35318f489a6f392ad75e9bfd3cb39f74f09205c356b9363ea11c30c
Instruction Fuzzy Hash: 9D11487590410AAFCB05DF59E940A9E7BF4EF48314F104059F808AB352DB30EA11CBA4

Function 001E5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001E4C7D: RtlAllocateHeap.NTDLL(00000008,001B1129,00000000,?,001E2E29,00000001,00000364,?,?,?,001DF2DE,001E3863,00281444,?,001CFDF5,?), ref: 001E4CBE

_free.LIBCMT ref: 001E506C

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 3bff4139bd2477263169505700b17549941e7f21d78f413ad51a20167c23e1f6
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: BA012672204B446BE3218E669885A5EFBEDFB89374F25051DF194832C0EB70A805C7B4

Function 001DE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: ddf33f837cdd92f6549d4e0de9d2644b0131bfe22d3c7635ce4c55c8bb68f1ae
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: DEF0F432510E1496C7353A6A9C05B9A33DC9F7233AF11071BF4259B3D2DB74E802CAA5

Function 001E4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,001B1129,00000000,?,001E2E29,00000001,00000364,?,?,?,001DF2DE,001E3863,00281444,?,001CFDF5,?), ref: 001E4CBE

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ab0f0dbfb66dfc73e82e4f019b7aa57ac1ea621fe6c69309b81fe8f297379fa4
Instruction ID: 966e67a2dc8e62ddca34fbbf5be92a8808340e9d0f79c7df84f9d5559619f6c5
Opcode Fuzzy Hash: ab0f0dbfb66dfc73e82e4f019b7aa57ac1ea621fe6c69309b81fe8f297379fa4
Instruction Fuzzy Hash: A9F0E231603AA467DB255F67AC09B5F3788BF917A0B394126B81AAB6D0CB30D80196E0

Function 001E3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1685ba3f24d223d4270ffe12dc088b4a8fe9b3b941bf5ad7e458d861f0c0da52
Instruction ID: 37986d45ab02f512525d6db0bef7f197783a817dd457db1f06b257dd64e3f7bc
Opcode Fuzzy Hash: 1685ba3f24d223d4270ffe12dc088b4a8fe9b3b941bf5ad7e458d861f0c0da52
Instruction Fuzzy Hash: 79E0E531101AA467D631266B9C0DF9F3748AB827B0F150326BC25935D0CB20DE0182E0

Function 001B4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4F6D

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 97cf5a9c32f17cf4391ceefe68fe8f01e30083b41ba2c2d244bf675950bdba36
Instruction ID: c5d2cd83cb5d4a116998cf237b675a55a89baa2c59b411c8e53a742953b3e977
Opcode Fuzzy Hash: 97cf5a9c32f17cf4391ceefe68fe8f01e30083b41ba2c2d244bf675950bdba36
Instruction Fuzzy Hash: 38F03971505752CFDB389F68E4948A2BBF4EF1432A320C97EE1EA83622C7319844DF50

Function 00242A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00242A66

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 2786d7652413bdc8cc2bc2ac0679fdfc70f86731f65ffdd17b50f3d26e1c779a
Instruction ID: 81538d47bc657d0731808e96fac106dce969642c861b4550e35da82a6f68eb8a
Opcode Fuzzy Hash: 2786d7652413bdc8cc2bc2ac0679fdfc70f86731f65ffdd17b50f3d26e1c779a
Instruction Fuzzy Hash: B9E04836370126EAC754EE31EC848F9739CEB613957504536FC1AD3100DF3099B586A0

Function 001B30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 001B314E

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 07119518ac64cd2fb38e593a24b443662196a4393e97268add1b2eb2e5df2b88
Instruction ID: 42692eb932136a02e08e80c90575f8bc4d1bc215e8ab0d315400f5bc406182d1
Opcode Fuzzy Hash: 07119518ac64cd2fb38e593a24b443662196a4393e97268add1b2eb2e5df2b88
Instruction Fuzzy Hash: 80F0A7749003049FE7529B24EC4A7D57BBCA701708F0000E5E148962C2D7704799CF41

Function 001B2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 001B2DC4

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 7e9e42eb15bf01b1316a94195a0ba471efa9baafc61cd1bdc06f0aae04c4c8ce
Instruction ID: 9d25dfdc24ef8ad71f323e8e3b2d3a5c1e00d12e205ff6d46086f655c124377d
Opcode Fuzzy Hash: 7e9e42eb15bf01b1316a94195a0ba471efa9baafc61cd1bdc06f0aae04c4c8ce
Instruction Fuzzy Hash: 24E0CD766011245BC710D2589C05FEA77EDDFC8790F040071FD09D7248DBA4AD848550

Function 001B2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001B3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001B3908

Part of subcall function 001BD730: GetInputState.USER32 ref: 001BD807

SetCurrentDirectoryW.KERNEL32(?), ref: 001B2B6B

Part of subcall function 001B30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 001B314E

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: ddfb02288305b8191b7cf20a6bcb7ab1d316172c677c33b0798bd1382ac634d5
Instruction ID: 1e3294cca8ff2a63808ec35ae3de4d5954e508b8c5592af5094416b5823f360a
Opcode Fuzzy Hash: ddfb02288305b8191b7cf20a6bcb7ab1d316172c677c33b0798bd1382ac634d5
Instruction Fuzzy Hash: 08E08C2630524806CA08BBB5B8A69EDB7599BF2355F40163EF152871A3DF248A6A8352

Function 0021DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0021DF40

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 464cdd52324af47d921d019fdcf11c3c194ea76eae1fb711a098b52457f14c5b
Instruction ID: a1032b5a73ffff299dff283665d2ee65c160eae491a6a1751d2b7af4aaa16619
Opcode Fuzzy Hash: 464cdd52324af47d921d019fdcf11c3c194ea76eae1fb711a098b52457f14c5b
Instruction Fuzzy Hash: 1BD05EA6A002282BDF60A6749D0DDF73AACC740210F0006A0786DD3152EA24DD4486B0

Function 001F039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,001F0704,?,?,00000000,?,001F0704,00000000,0000000C), ref: 001F03B7

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: cb67294304794444d14dc5f4a7eb5ae60803232daf87ca6b5561b73d693fa645
Instruction ID: 44a1792a312887e9a01f940c2e2618a939f4dd132a64c84fcb0ef7c2cbeb88fb
Opcode Fuzzy Hash: cb67294304794444d14dc5f4a7eb5ae60803232daf87ca6b5561b73d693fa645
Instruction Fuzzy Hash: 25D06C3204010DBBDF028F84ED06EDA3BAAFB48714F114000FE1C56020C732E821AB90

Function 001B1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 001B1CBC

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: bf13a7dcba54632051259e0bd53f03a86beb6b37a97f6032297389a60cb2723b
Instruction ID: e9d9842af276505a8adf7a67e48098f3cb32b913267532a902925235180de844
Opcode Fuzzy Hash: bf13a7dcba54632051259e0bd53f03a86beb6b37a97f6032297389a60cb2723b
Instruction Fuzzy Hash: F7C0483A282204AAE2188B84BC4EF547768A348B01F948001F60AA95E382A22820AB50

Non-executed Functions

Function 00249576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0024961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0024965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0024969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002496C9
SendMessageW.USER32 ref: 002496F2
GetKeyState.USER32(00000011), ref: 0024978B
GetKeyState.USER32(00000009), ref: 00249798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002497AE
GetKeyState.USER32(00000010), ref: 002497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002497E9
SendMessageW.USER32 ref: 00249810
SendMessageW.USER32(?,00001030,?,00247E95), ref: 00249918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0024992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00249941
SetCapture.USER32(?), ref: 0024994A
ClientToScreen.USER32(?,?), ref: 002499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002499D6
ReleaseCapture.USER32 ref: 002499E1
GetCursorPos.USER32(?), ref: 00249A19
ScreenToClient.USER32(?,?), ref: 00249A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00249A80
SendMessageW.USER32 ref: 00249AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00249AEB
SendMessageW.USER32 ref: 00249B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00249B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00249B4A
GetCursorPos.USER32(?), ref: 00249B68
ScreenToClient.USER32(?,?), ref: 00249B75
GetParent.USER32(?), ref: 00249B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00249BFA
SendMessageW.USER32 ref: 00249C2B
ClientToScreen.USER32(?,?), ref: 00249C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00249CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00249CDE
SendMessageW.USER32 ref: 00249D01
ClientToScreen.USER32(?,?), ref: 00249D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00249D82

Part of subcall function 001C9944: GetWindowLongW.USER32(?,000000EB), ref: 001C9952

GetWindowLongW.USER32(?,000000F0), ref: 00249E05

Strings

@GUI_DRAGID, xrefs: 0024997D
F, xrefs: 00249D07
p#(, xrefs: 00249990

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#(
API String ID: 3429851547-3736874359
Opcode ID: 44a1602112246300ea19c20b7b37b23b037ea8cfb01254ec9cc57cfe46051868
Instruction ID: b3a4315cb608b2bbb744361207f349644a88c8e218b296c104ae1d61cc7391e2
Opcode Fuzzy Hash: 44a1602112246300ea19c20b7b37b23b037ea8cfb01254ec9cc57cfe46051868
Instruction Fuzzy Hash: 3E42BE34615202AFD729CF28DC48EABBBE9FF89310F114619F599872A1D771E8A0CF41

Function 00244873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00244908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00244927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0024494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0024495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0024497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00244A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00244A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00244A7E
IsMenu.USER32(?), ref: 00244A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00244AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00244B20
GetWindowLongW.USER32(?,000000F0), ref: 00244B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00244BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00244C82
wsprintfW.USER32 ref: 00244CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00244CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00244CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00244D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00244D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00244D5A

Strings

%d/%02d/%02d, xrefs: 00244CA8

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: edad06940c4574669b5a62edc8c437d6b2e1fb5eed3db1c1b56e944dbdc445ee
Instruction ID: 5cc2c96bde0ca89cbab469207df487893442c865f27c2d0dbfbfde3f41be0e57
Opcode Fuzzy Hash: edad06940c4574669b5a62edc8c437d6b2e1fb5eed3db1c1b56e944dbdc445ee
Instruction Fuzzy Hash: 3D123531610215ABEB28AF28DC49FAE7BF8FF85710F104129F916EB2E1DB749951CB50

Function 001CF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 001CF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0020F474
IsIconic.USER32(00000000), ref: 0020F47D
ShowWindow.USER32(00000000,00000009), ref: 0020F48A
SetForegroundWindow.USER32(00000000), ref: 0020F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0020F4AA
GetCurrentThreadId.KERNEL32 ref: 0020F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0020F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0020F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0020F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0020F4DE
SetForegroundWindow.USER32(00000000), ref: 0020F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0020F4F6
keybd_event.USER32(00000012,00000000), ref: 0020F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0020F50B
keybd_event.USER32(00000012,00000000), ref: 0020F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0020F519
keybd_event.USER32(00000012,00000000), ref: 0020F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0020F528
keybd_event.USER32(00000012,00000000), ref: 0020F52D
SetForegroundWindow.USER32(00000000), ref: 0020F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0020F557

Strings

Shell_TrayWnd, xrefs: 0020F46F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d9c3b3ccbe8cb774ef587d8cc91f236d0188acefe25429bf9ff4707041fb14c1
Instruction ID: 857176b30bed918bdd8b74e72dab862d580265dc4eb7a9e530a27bdee8b72922
Opcode Fuzzy Hash: d9c3b3ccbe8cb774ef587d8cc91f236d0188acefe25429bf9ff4707041fb14c1
Instruction Fuzzy Hash: 6A315075A91318BBEB706FB95C4AFBF7E6CEB45B50F210025FA04F61D1C6B06D10AA60

Function 00211201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0021170D
Part of subcall function 002116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0021173A
Part of subcall function 002116C3: GetLastError.KERNEL32 ref: 0021174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00211286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002112A8
CloseHandle.KERNEL32(?), ref: 002112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002112D1
GetProcessWindowStation.USER32 ref: 002112EA
SetProcessWindowStation.USER32(00000000), ref: 002112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00211310

Part of subcall function 002110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002111FC), ref: 002110D4
Part of subcall function 002110BF: CloseHandle.KERNEL32(?,?,002111FC), ref: 002110E9

Strings

Z', xrefs: 00211392
, xrefs: 0021125A
winsta0, xrefs: 002112CC
default, xrefs: 0021130B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z'
API String ID: 22674027-1455465207
Opcode ID: 3fb4b640ed6ad449e14c8b929142e13bcd06245865d91891993197938fa28cfc
Instruction ID: 7ac61cfbb4b1216b4973c7947c51779355949a4737bfa5cb04e9b32fc8402062
Opcode Fuzzy Hash: 3fb4b640ed6ad449e14c8b929142e13bcd06245865d91891993197938fa28cfc
Instruction Fuzzy Hash: 2881C271910209AFDF209FA8DC49FEE7BFDEF15B04F144129FA11A61A0D77189A4CB61

Function 00210B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00211114
Part of subcall function 002110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211120
Part of subcall function 002110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 0021112F
Part of subcall function 002110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211136
Part of subcall function 002110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0021114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00210BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00210C00
GetLengthSid.ADVAPI32(?), ref: 00210C17
GetAce.ADVAPI32(?,00000000,?), ref: 00210C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00210C6D
GetLengthSid.ADVAPI32(?), ref: 00210C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00210C8C
HeapAlloc.KERNEL32(00000000), ref: 00210C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00210CB4
CopySid.ADVAPI32(00000000), ref: 00210CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00210CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00210D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00210D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210D45
HeapFree.KERNEL32(00000000), ref: 00210D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210D55
HeapFree.KERNEL32(00000000), ref: 00210D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210D65
HeapFree.KERNEL32(00000000), ref: 00210D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00210D78
HeapFree.KERNEL32(00000000), ref: 00210D7F

Part of subcall function 00211193: GetProcessHeap.KERNEL32(00000008,00210BB1,?,00000000,?,00210BB1,?), ref: 002111A1
Part of subcall function 00211193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00210BB1,?), ref: 002111A8
Part of subcall function 00211193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00210BB1,?), ref: 002111B7

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e6f0eaa5bbe074c014d793f987a814c31851f8a176affe1edf5be8c4e1a0681e
Instruction ID: bf9304c9f2b2c86ec8d92fe8fe617a4f97cf8fc8ce164b090ca06328d84ed7ed
Opcode Fuzzy Hash: e6f0eaa5bbe074c014d793f987a814c31851f8a176affe1edf5be8c4e1a0681e
Instruction Fuzzy Hash: 3B716E7590120AABDF10DFE4EC88FEEBBB8FF15300F144525E918A6191D7B1A995CFA0

Function 0022EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0024CC08), ref: 0022EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0022EB37
GetClipboardData.USER32(0000000D), ref: 0022EB43
CloseClipboard.USER32 ref: 0022EB4F
GlobalLock.KERNEL32(00000000), ref: 0022EB87
CloseClipboard.USER32 ref: 0022EB91
GlobalUnlock.KERNEL32(00000000), ref: 0022EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0022EBC9
GetClipboardData.USER32(00000001), ref: 0022EBD1
GlobalLock.KERNEL32(00000000), ref: 0022EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0022EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0022EC38
GetClipboardData.USER32(0000000F), ref: 0022EC44
GlobalLock.KERNEL32(00000000), ref: 0022EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0022EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0022EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0022ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0022ECF3
CountClipboardFormats.USER32 ref: 0022ED14
CloseClipboard.USER32 ref: 0022ED59

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 2189c6229ec3d0694aebeefe6d37acf32b0488bd92eb669994cc87f999ba99b7
Instruction ID: e0bbda2af4872a566c6f88bf0ce52bad1a2fd8ce0145d53f2c35ffc39a6874bf
Opcode Fuzzy Hash: 2189c6229ec3d0694aebeefe6d37acf32b0488bd92eb669994cc87f999ba99b7
Instruction Fuzzy Hash: F961F374204302AFD700EFA4E888F6A77E8BF95714F25451DF8568B2A1CB71DD05DB62

Function 0022698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002269BE
FindClose.KERNEL32(00000000), ref: 00226A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00226A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00226A75

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00226AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00226ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00226B6A
%4d, xrefs: 00226BB1
%03d, xrefs: 00226DA2
%02d, xrefs: 00226C00, 00226C0A, 00226C5A, 00226CAA, 00226CFA, 00226D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00226B32

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c34d9ae63c96e0ee3974e6a612fb898d6f5183cf3239015c505b86a8038c04db
Instruction ID: 3824a7cc77cc8bd7a1f33c5a6362651ba23fbe5ebc7ce2f055a43467f87641b9
Opcode Fuzzy Hash: c34d9ae63c96e0ee3974e6a612fb898d6f5183cf3239015c505b86a8038c04db
Instruction Fuzzy Hash: B5D16F72508300AFC310EFA4D895EABB7ECAFA9704F04491DF589D7191EB74DA05CBA2

Function 00229642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00229663
GetFileAttributesW.KERNEL32(?), ref: 002296A1
SetFileAttributesW.KERNEL32(?,?), ref: 002296BB
FindNextFileW.KERNEL32(00000000,?), ref: 002296D3
FindClose.KERNEL32(00000000), ref: 002296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0022974A
SetCurrentDirectoryW.KERNEL32(00276B7C), ref: 00229768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00229772
FindClose.KERNEL32(00000000), ref: 0022977F
FindClose.KERNEL32(00000000), ref: 0022978F

Strings

*.*, xrefs: 002296F5

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 773b1ea3c2575463629be2ba08236de943e7a7d154d4f82cca21837d1cac11b6
Instruction ID: bc3d3c0afa0b2f7fbadb1c6ad14a1426d42be9279f23ef59d7f7a0fe2bbaddec
Opcode Fuzzy Hash: 773b1ea3c2575463629be2ba08236de943e7a7d154d4f82cca21837d1cac11b6
Instruction Fuzzy Hash: 1F31C27651162A7ADB14EFF9FC4CAEE77ACAF0A320F204156F905E2190DB70D9948E14

Function 0022979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 002297BE
FindNextFileW.KERNEL32(00000000,?), ref: 00229819
FindClose.KERNEL32(00000000), ref: 00229824
FindFirstFileW.KERNEL32(*.*,?), ref: 00229840
SetCurrentDirectoryW.KERNEL32(?), ref: 00229890
SetCurrentDirectoryW.KERNEL32(00276B7C), ref: 002298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002298B8
FindClose.KERNEL32(00000000), ref: 002298C5
FindClose.KERNEL32(00000000), ref: 002298D5

Part of subcall function 0021DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0021DB00

Strings

*.*, xrefs: 0022983B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: f2402521436e47749ef2730c75b64e3a2ee4fa112c4808cc55ac797da9061ef8
Instruction ID: b68fa00ae8c44da24748bead062f2ab07b842e55705e5f3438c48cf0497edbb5
Opcode Fuzzy Hash: f2402521436e47749ef2730c75b64e3a2ee4fa112c4808cc55ac797da9061ef8
Instruction Fuzzy Hash: E531C53151162A7ADB14EFF8FC48ADE77ACAF07320F244156E914E2191DB70D9A4CE25

Function 0021D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B3A97,?,?,001B2E7F,?,?,?,00000000), ref: 001B3AC2

Part of subcall function 0021E199: GetFileAttributesW.KERNEL32(?,0021CF95), ref: 0021E19A

FindFirstFileW.KERNEL32(?,?), ref: 0021D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0021D1DD
MoveFileW.KERNEL32(?,?), ref: 0021D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0021D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0021D237

Part of subcall function 0021D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0021D21C,?,?), ref: 0021D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0021D253
FindClose.KERNEL32(00000000), ref: 0021D264

Strings

\*.*, xrefs: 0021D0CD, 0021D0D6, 0021D0EB

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 834543799e473f75e35fd170f303579879d12a463f043014f6710d8b158e9cf1
Instruction ID: 374c167c8860f4845111ff97e94fd0fd6f5884fc652e24cc0fafe9bb0d6231b4
Opcode Fuzzy Hash: 834543799e473f75e35fd170f303579879d12a463f043014f6710d8b158e9cf1
Instruction Fuzzy Hash: 34617C3180110EEBCF05EFE4D9929EDB7B5AF25300F604165E81677192EB30AF5ADB60

Function 0022ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0022ED91
EmptyClipboard.USER32 ref: 0022ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0022EDAC
CloseClipboard.USER32 ref: 0022EEA3

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 96c12bda4b17ac3af7149cfdf046cadbc3ace72f31943c28e8dae33725021cbe
Instruction ID: a9b99961842db41c942a7321178cc629e2d2c003fc444e35bc86d95ff76ee093
Opcode Fuzzy Hash: 96c12bda4b17ac3af7149cfdf046cadbc3ace72f31943c28e8dae33725021cbe
Instruction Fuzzy Hash: 2141E135215221AFD720CF59F848B19BBE4FF45328F16C099E4158B762C775EC41CB90

Function 0021E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0021170D
Part of subcall function 002116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0021173A
Part of subcall function 002116C3: GetLastError.KERNEL32 ref: 0021174A

ExitWindowsEx.USER32(?,00000000), ref: 0021E932

Strings

@, xrefs: 0021E925
, xrefs: 0021E920
, xrefs: 0021E95C
SeShutdownPrivilege, xrefs: 0021E902

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: b56364becea237a0308422bff838197fc64d3c2fa45dabc51d529e9da352f6b7
Instruction ID: 07747b7aa39b2661c55f95a2ede18c1c29a5aea719dec0b71a9f10391eb4084f
Opcode Fuzzy Hash: b56364becea237a0308422bff838197fc64d3c2fa45dabc51d529e9da352f6b7
Instruction Fuzzy Hash: 3801DB76630311ABEF546678AC8ABFF72DC9B28750F164422FD03E21D1D5A55CE085E4

Function 00231204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00231276
WSAGetLastError.WSOCK32 ref: 00231283
bind.WSOCK32(00000000,?,00000010), ref: 002312BA
WSAGetLastError.WSOCK32 ref: 002312C5
closesocket.WSOCK32(00000000), ref: 002312F4
listen.WSOCK32(00000000,00000005), ref: 00231303
WSAGetLastError.WSOCK32 ref: 0023130D
closesocket.WSOCK32(00000000), ref: 0023133C

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 0df364c223b168432a500359ed375b28da12e3dbe3c231bd8012a6f844b1c78d
Instruction ID: 19db37bcc55df8ad7c1f64b6c759e98f427fc83dd3f62d1ed69c011e480544c8
Opcode Fuzzy Hash: 0df364c223b168432a500359ed375b28da12e3dbe3c231bd8012a6f844b1c78d
Instruction Fuzzy Hash: 9F41B275A001119FD710DF28D488B6ABBE5BF86318F288188E8568F3D6C771ED91CBE1

Function 001EB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001EB9D4
_free.LIBCMT ref: 001EB9F8
_free.LIBCMT ref: 001EBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00253700), ref: 001EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0028121C,000000FF,00000000,0000003F,00000000,?,?), ref: 001EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00281270,000000FF,?,0000003F,00000000,?), ref: 001EBC36
_free.LIBCMT ref: 001EBD4B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 0f8ac61713d643d3b5d91d5a42a148a26460f047dd93c914ab8d295e965c2d2c
Instruction ID: 60d14e8f72a97d35e74c341c7b7d47a0d87dcb1fb75d29d0942f6bf27e1d26a6
Opcode Fuzzy Hash: 0f8ac61713d643d3b5d91d5a42a148a26460f047dd93c914ab8d295e965c2d2c
Instruction Fuzzy Hash: CEC14975908A84AFCB24DF7A9CC1BAF7BB8EF51310F2441AAE494D7296E7308E41C750

Function 0021D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B3A97,?,?,001B2E7F,?,?,?,00000000), ref: 001B3AC2

Part of subcall function 0021E199: GetFileAttributesW.KERNEL32(?,0021CF95), ref: 0021E19A

FindFirstFileW.KERNEL32(?,?), ref: 0021D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0021D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0021D481
FindClose.KERNEL32(00000000), ref: 0021D498
FindClose.KERNEL32(00000000), ref: 0021D4A1

Strings

\*.*, xrefs: 0021D3F2

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 5c16be84ac7f63a1a2c5c2e890d8fbfe8d90b8f8fe0cbcacfe46750cff66cc3d
Instruction ID: a4b72ee8e805bd251624d8bcfe5d292b11227f1a4c21da3d9ffa6053a04ff832
Opcode Fuzzy Hash: 5c16be84ac7f63a1a2c5c2e890d8fbfe8d90b8f8fe0cbcacfe46750cff66cc3d
Instruction Fuzzy Hash: 5C31A031019345ABC300EF64D8958EFB7E8BEB2314F944A1DF4D593191EB70AA19DB63

Function 001EE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001EE645

Strings

1#IND, xrefs: 001EF83D
1#INF, xrefs: 001EF852
1#QNAN, xrefs: 001EF84B
1#SNAN, xrefs: 001EF844

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fd247c516302b3ed695a1c6cca0d2c48a4a53af640ad8a515717feece18924db
Instruction ID: bb1463d9d267a6eb090d4d6a442d3aeee5e70649ad531c39b6e7da110be18bba
Opcode Fuzzy Hash: fd247c516302b3ed695a1c6cca0d2c48a4a53af640ad8a515717feece18924db
Instruction Fuzzy Hash: 8FC23971E04A698FDB29CE299D407EEB7F5EB48305F1541EAD84DE7240E774AE828F40

Function 0022648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002264DC
CoInitialize.OLE32(00000000), ref: 00226639
CoCreateInstance.OLE32(0024FCF8,00000000,00000001,0024FB68,?), ref: 00226650
CoUninitialize.OLE32 ref: 002268D4

Strings

.lnk, xrefs: 002264BA, 00226524, 002265E0

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: caa6e9eb9df911e0f7087b595731a116d641af4eabd9ed5adb814ce867574332
Instruction ID: dce6f9c03aa862136f0016503791f2de1fdbc3b7d834bfa0ac7692bef361641c
Opcode Fuzzy Hash: caa6e9eb9df911e0f7087b595731a116d641af4eabd9ed5adb814ce867574332
Instruction Fuzzy Hash: E5D16A71518211AFC304EF64D881DABB7E8FFA9304F50496DF5958B2A1EB30ED05CBA2

Function 002322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002322E8

Part of subcall function 0022E4EC: GetWindowRect.USER32(?,?), ref: 0022E504

GetDesktopWindow.USER32 ref: 00232312
GetWindowRect.USER32(00000000), ref: 00232319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00232355
GetCursorPos.USER32(?), ref: 00232381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002323DF

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: ad7d014d1000e858b57c67eedf5ac849c7a334a67af8fef8a0ae78557975fb68
Instruction ID: 2bc80b506796012cfa6acde67457831d78537f6e2fe99f7565f3dab4ecf773c4
Opcode Fuzzy Hash: ad7d014d1000e858b57c67eedf5ac849c7a334a67af8fef8a0ae78557975fb68
Instruction Fuzzy Hash: FE3100B2515316AFDB20DF18DC49B9BBBE9FF85310F100919F985A7181DB34EA18CB92

Function 00229B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00229B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00229C8B

Part of subcall function 00223874: GetInputState.USER32 ref: 002238CB
Part of subcall function 00223874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00223966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00229BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00229C75

Strings

*.*, xrefs: 00229B5D

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 20b3c3cf0814c3075bf5c294532ab17609b26e96406f49ce24ddf34ada88beae
Instruction ID: f5974b8fb8d353c311c416045d1f7002ff0137703bbeea8d6124506e908df8d2
Opcode Fuzzy Hash: 20b3c3cf0814c3075bf5c294532ab17609b26e96406f49ce24ddf34ada88beae
Instruction Fuzzy Hash: 0E41A47191021AAFDF54DFA4D889AEE7BF4FF19310F20405AE805A3191EB309E94CF60

Function 001C997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 001C9A4E
GetSysColor.USER32(0000000F), ref: 001C9B23
SetBkColor.GDI32(?,00000000), ref: 001C9B36

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 19baf01232f164704ad1092872c8bd0b0eff977a7a86c16da51d7b15da9697ef
Instruction ID: dcd11fb39d9fbce638621cba8a33c5f67aab26fa8b6dd9c59e144e37bd0ce4f4
Opcode Fuzzy Hash: 19baf01232f164704ad1092872c8bd0b0eff977a7a86c16da51d7b15da9697ef
Instruction Fuzzy Hash: 17A13570629500BFE72CAE2C9C8DF7B2A9DEB62340B15010DF402D76E2CB25ED61D672

Function 00231806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0023304E: inet_addr.WSOCK32(?), ref: 0023307A
Part of subcall function 0023304E: _wcslen.LIBCMT ref: 0023309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0023185D
WSAGetLastError.WSOCK32 ref: 00231884
bind.WSOCK32(00000000,?,00000010), ref: 002318DB
WSAGetLastError.WSOCK32 ref: 002318E6
closesocket.WSOCK32(00000000), ref: 00231915

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 7649c7292e3c247e4f1327a81f67d9a6f53a3bcd33a63a68f09b86d274b4a4ed
Instruction ID: a5df6ff6516caca3bacda3dc62fa8e87e3fd7679682af4b0591a11cfae5991d3
Opcode Fuzzy Hash: 7649c7292e3c247e4f1327a81f67d9a6f53a3bcd33a63a68f09b86d274b4a4ed
Instruction Fuzzy Hash: 7A51C575A002009FEB10AF24D88AF6A77E5AB59718F18809CF9059F3D3C771ED518BE1

Function 00241C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00241CC0
IsWindowEnabled.USER32 ref: 00241CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00241CDB
IsIconic.USER32 ref: 00241CE9
IsZoomed.USER32 ref: 00241CF7

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b85ae07c8e09ac2deaff81652b132c316d4e5b0d033b06a588789d32a5083ddf
Instruction ID: 45aa22e59fdf40dd8032935009db4896b0769876ca212c332d3480095a477fed
Opcode Fuzzy Hash: b85ae07c8e09ac2deaff81652b132c316d4e5b0d033b06a588789d32a5083ddf
Instruction Fuzzy Hash: 332127317512119FD3288F1ADC84B6A7BE5EF85314F19805DE84ACB351CB71DCA2CB91

Function 001B8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 001B813C
VUUU, xrefs: 001B83E8
VUUU, xrefs: 001B83FA
VUUU, xrefs: 001B843C
VUUU, xrefs: 001F5DF0

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 8c7c70942d2f98e3d370ed97a257018e446f1e309440c05b0008a21b34b61ce9
Instruction ID: 09baceb2c2c0b1c34cdedb527188ccd4e16e580c345713468d0092c67b9519ca
Opcode Fuzzy Hash: 8c7c70942d2f98e3d370ed97a257018e446f1e309440c05b0008a21b34b61ce9
Instruction Fuzzy Hash: A6A27D70E0061ECBDF28CF58C8507FEB7B6BB54714F2581AAEA15A7285DB709D81CB90

Function 00218298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002182AA

Strings

tb', xrefs: 002184F4
|, xrefs: 002182DA
(, xrefs: 002182F0

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb'$|
API String ID: 1659193697-4112980726
Opcode ID: 7c677cadc1f21f25d3b3f07b269db11f244ce96584d406f81f74de477c5dcf07
Instruction ID: 351488d97634c6d93bcb82a6051e74061860405ade06911759462cfe93323214
Opcode Fuzzy Hash: 7c677cadc1f21f25d3b3f07b269db11f244ce96584d406f81f74de477c5dcf07
Instruction Fuzzy Hash: 9E323875A107069FC728CF59C080AAAB7F0FF58710B15C56EE59ADB3A1EB70E991CB40

Function 0021AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0021AAAC
SetKeyboardState.USER32(00000080), ref: 0021AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0021AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0021AB88

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 91f3ab81d3c73ceb116f396f5e17b4fefedeb9f4bf3306179dd6278b6ed0f5bb
Instruction ID: 1d2ed20b7a9a563558d2a9333f75be1e7e5be0558529f021b936942392727e77
Opcode Fuzzy Hash: 91f3ab81d3c73ceb116f396f5e17b4fefedeb9f4bf3306179dd6278b6ed0f5bb
Instruction Fuzzy Hash: AB314A70A66288AEFB34CF68CC05BFA77E6AF74314F04421AF081521D0C3748AE0C752

Function 0022CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0022CE89
GetLastError.KERNEL32(?,00000000), ref: 0022CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0022CEFE

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c279f21a1ee1ceb7be05bfe1263260646c528f4c8b7c9723c8baa14f293a2578
Instruction ID: 4fa49742fdde9cb805a679c560843cfa409d072e27e896440d4e65bc99d813c7
Opcode Fuzzy Hash: c279f21a1ee1ceb7be05bfe1263260646c528f4c8b7c9723c8baa14f293a2578
Instruction Fuzzy Hash: 2521CFB1510716ABDB30DFA5E948BABB7FCEB50358F20442EE646D2151E7B0EE148B50

Function 00225C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00225CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00225D17
FindClose.KERNEL32(?), ref: 00225D5F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 455429fc85951ebefdfe6683694ad3a5c1534df73a69e2dc825edd0be1e1c03f
Instruction ID: e8ae8c8d58b8fb9a2de0c4f212bb3ded0fd344f121cbd81d90d2653beb0960b4
Opcode Fuzzy Hash: 455429fc85951ebefdfe6683694ad3a5c1534df73a69e2dc825edd0be1e1c03f
Instruction Fuzzy Hash: C651BB34614A12AFC714CF68D494E96B7E4FF4A324F14855EE95A8B3A2CB30EC14CF91

Function 001E2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 001E271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001E2724
UnhandledExceptionFilter.KERNEL32(?), ref: 001E2731

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a03fddfff26114edcc4d5bdb7c1f57171dc90e6ddb0b5b033767a4ea1b015f6c
Instruction ID: 58cd569543e9ab63bce33bce004535f03a3e20d59307c75754f268f16edabda2
Opcode Fuzzy Hash: a03fddfff26114edcc4d5bdb7c1f57171dc90e6ddb0b5b033767a4ea1b015f6c
Instruction Fuzzy Hash: 0F31B374911228ABCB21DF69DC8979DBBB8BF18310F5041EAE81CA7261E7749F818F45

Function 002251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00225238
SetErrorMode.KERNEL32(00000000), ref: 002252A1

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0caa81f49abd25755f9e39a637a66f371da75a3f9d00ba4d9c9c89c01c4bc1d6
Instruction ID: f72ea4e0baf9daa0ce30afde7d6540c3b5c3f36c5049c851e0664bed8bd4eaec
Opcode Fuzzy Hash: 0caa81f49abd25755f9e39a637a66f371da75a3f9d00ba4d9c9c89c01c4bc1d6
Instruction Fuzzy Hash: 7D312F75A10519EFDB00DF94D888EEDBBB4FF49314F148099E8099B392DB71E856CBA0

Function 002116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 001CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001D0668
Part of subcall function 001CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001D0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0021170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0021173A
GetLastError.KERNEL32 ref: 0021174A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 7bd807c9599688d6b0411022436c28c654dcf5da3ddcb82001477aa85eefcdb7
Instruction ID: b610f38c28499da9f90d827aac9518053b9403a40d09e3fe298d994c95d96b53
Opcode Fuzzy Hash: 7bd807c9599688d6b0411022436c28c654dcf5da3ddcb82001477aa85eefcdb7
Instruction Fuzzy Hash: 5511C1B2414305AFD7189F54EC86EABB7FDEB54714B20852EE05653291EB70FC928A20

Function 0021D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0021D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0021D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0021D650

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 582c25aba8139d6ab5dc11c11984f5a218812c55211cf039f6b6386d326e4c93
Instruction ID: 536efb826dd5e2dff44c7602a8caf828775772f714a3ed5a695a244f849a8c3e
Opcode Fuzzy Hash: 582c25aba8139d6ab5dc11c11984f5a218812c55211cf039f6b6386d326e4c93
Instruction Fuzzy Hash: 0C113075E05228BBDB108F99AC49FAFBBBCEB45B50F104155F904E7290D6B05A058BA1

Function 00211663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0021168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002116A1
FreeSid.ADVAPI32(?), ref: 002116B1

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 08e929c93937b55cee5d5b6f67d9eadab62ea3ea3d9ab9b0417f56f24ec050ed
Instruction ID: 52c585199c1a872c4445733fc6493a9e08c05d9455173b3d3597002a9e138317
Opcode Fuzzy Hash: 08e929c93937b55cee5d5b6f67d9eadab62ea3ea3d9ab9b0417f56f24ec050ed
Instruction Fuzzy Hash: 37F0F475A51309FBDB00DFE49C89AAEBBBCEB08605F504965E501E2181E774AA448A54

Function 001EC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 001EC36C

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 0fec85a5a1585df3ea67399eaba8c95a69a8b9e8d319144d2a3e02a91174d5ce
Instruction ID: 92c37ad112a75585dd4de68bb9f192cf671d9c03c84d1d345ed6926b704ad142
Opcode Fuzzy Hash: 0fec85a5a1585df3ea67399eaba8c95a69a8b9e8d319144d2a3e02a91174d5ce
Instruction Fuzzy Hash: D0412876900A596BCB249FBADC49EBF7778EB84314F1042A9F915D7280E7709D828B90

Function 001DCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 81fdda32b4bc4e32412c3a366d2050238eb4cbd970f4ec2c775f37a319157cea
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A9021D71E0011A9BDF14CFA9C9806ADFBF1EF48314F25466AD919E7384D731AA41CBD4

Function 001BCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#(, xrefs: 001BCF7F
Variable is not of type 'Object'., xrefs: 00200C40

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#(
API String ID: 0-1684414423
Opcode ID: d0e65be3bd61867bc3ee085a716fb0fc774d55ba395501944f91b0fbe7760485
Instruction ID: 823e207f94015cd58eae6dc045433ce06d6b330f59351045387e33cb6dd79d34
Opcode Fuzzy Hash: d0e65be3bd61867bc3ee085a716fb0fc774d55ba395501944f91b0fbe7760485
Instruction Fuzzy Hash: AD329B74910219DBDF14DF94C881BFDBBB5FF25304F248069E806AB292DB75AE45CBA0

Function 002268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00226918
FindClose.KERNEL32(00000000), ref: 00226961

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 29818225bef282cbe8a1f34c859438387b82b00c7de92e68123462c70be91aa9
Instruction ID: 290e8728b4dbf757ef65aca68fb78fda6e27959999d9478d6a7524f37e5618f8
Opcode Fuzzy Hash: 29818225bef282cbe8a1f34c859438387b82b00c7de92e68123462c70be91aa9
Instruction Fuzzy Hash: 0911D3356142119FC710CF69D488A16BBE0FF85328F14C69DF4698F6A2CB70EC45CB90

Function 002237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00234891,?,?,00000035,?), ref: 002237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00234891,?,?,00000035,?), ref: 002237F4

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: bb0c6311c9c8f531eac98d38c1a7a14d393e4f8b7f4321b8e0a9548ba4c697d7
Instruction ID: dab22ce2b5d6e488613410d623c473d1fc8e8fac125f3b400f11657af674ced1
Opcode Fuzzy Hash: bb0c6311c9c8f531eac98d38c1a7a14d393e4f8b7f4321b8e0a9548ba4c697d7
Instruction Fuzzy Hash: 6CF05C706052283BDB1057A55C4CFEB7A9DDFC5760F000161F504D2180C6A04904C6B0

Function 0021B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0021B25D
keybd_event.USER32(?,7707C0D0,?,00000000), ref: 0021B270

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: cd95b8ad423fe8100ffcce46442b240f44c3034774946eed1508e91f516b5b14
Instruction ID: a08d0e84afac9b240520838a569f66b5e09f8fb70a3d7a006e57e42300be3b9f
Opcode Fuzzy Hash: cd95b8ad423fe8100ffcce46442b240f44c3034774946eed1508e91f516b5b14
Instruction Fuzzy Hash: ACF06D7481424EABDB058FA4C805BEE7BB4FF04305F108009F951A5191C3798615DF94

Function 002110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002111FC), ref: 002110D4
CloseHandle.KERNEL32(?,?,002111FC), ref: 002110E9

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 05cfec45356f5652fb97d06084d42fcf65071ef882cdb511685ba990e0de6799
Instruction ID: 93f6c05357823728323baf618ac9a60f1fee3d108909f26ec3744d741dafef03
Opcode Fuzzy Hash: 05cfec45356f5652fb97d06084d42fcf65071ef882cdb511685ba990e0de6799
Instruction Fuzzy Hash: 82E04F32019610AEE7252F55FC09FB37BE9EB14310B20882DF5A6804B1DB62ACA0DB10

Function 001E676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001E6766,?,?,00000008,?,?,001EFEFE,00000000), ref: 001E6998

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 93d6f771f18ff11b9f7e5f388df3702990b82276d49360ce6f3bddad0831d225
Instruction ID: 1112f54370c748fa1c8c7418dcd07d2cf183da48c33dba3363217305c20c8e23
Opcode Fuzzy Hash: 93d6f771f18ff11b9f7e5f388df3702990b82276d49360ce6f3bddad0831d225
Instruction Fuzzy Hash: 5CB17E31510A48CFD719CF29C486B687BE0FF553A4F658658E8D9CF2A2C335E981CB40

Function 001CB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0020851F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d8c262a7e972a335c41c86664688f32285f0dcb23626f64e824867ae8cef0860
Instruction ID: a09c3ab71744b3014b54fe97b35206ced81558959729a885884276d0ebc09d3c
Opcode Fuzzy Hash: d8c262a7e972a335c41c86664688f32285f0dcb23626f64e824867ae8cef0860
Instruction Fuzzy Hash: 6A1250719142299FCB14CF58C881BEEB7B5FF58710F15819AE849EB292DB309E91CF90

Function 0022EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0022EABD

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: a393a9644a83971c52c7aa919bfd82ea4000715b3c86ce92b845267f83ad93e7
Instruction ID: dfdb6aa8ad6001f5117cb4256d0c3fb211ac963c19a1df144646fed792c88271
Opcode Fuzzy Hash: a393a9644a83971c52c7aa919bfd82ea4000715b3c86ce92b845267f83ad93e7
Instruction Fuzzy Hash: B6E04F35210214AFC710EF9DE844E9AF7EDAFA9760F01841AFC4AC7351DBB0E8408B91

Function 001D09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001D03EE), ref: 001D09DA

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7a43e604b5a04612e6e7023e665d1cd7bcd8b31bb061619741fbccead62e9766
Instruction ID: 93b80bd4de672b8d4c5f833dc4ec2f51b7c5d8a9db2bfc57b51b1d79b920b70c
Opcode Fuzzy Hash: 7a43e604b5a04612e6e7023e665d1cd7bcd8b31bb061619741fbccead62e9766
Instruction Fuzzy Hash:

Function 001D781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 001D798B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 4177a0bea3327ce5e565ffd9c761053d5aa853b50c4882918298bb0f35e3bdca
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: BD51667260C7459BDF3C856C886EBBE63999B12358F18050BE886D73C2FB15EE01E356

Function 00222046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&(, xrefs: 00222053

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: 0&(
API String ID: 0-759240540
Opcode ID: 336a555eb7aeb5686c257b17a49e49b2f643313d5193deeb6ed40f65f3ae7f05
Instruction ID: bfac38593ffedafeb2c8b4f7c8691a50431866334e5eefaa948ef22cf078c6b5
Opcode Fuzzy Hash: 336a555eb7aeb5686c257b17a49e49b2f643313d5193deeb6ed40f65f3ae7f05
Instruction Fuzzy Hash: 2321BB32621521DBD728CF79D81767E73E5A764310F15862EE4A7C77D0DE36A908CB40

Function 001E6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5431af5924abe4801f82265932de682939774411084bbf891fa700711822f0b
Instruction ID: 44947fb829bb70f29bb08e87841e02f6b338f8b1225f732679c2e76a98a17d18
Opcode Fuzzy Hash: f5431af5924abe4801f82265932de682939774411084bbf891fa700711822f0b
Instruction Fuzzy Hash: 06324522D29F814DE7239635DC26339A259AFB73C6F15C737E81AB59E5EB39C4834100

Function 001CCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bac092c7bd4a447726f27e58cbe7ebd35fb6d68b9bb76f1cc6776af271b649d
Instruction ID: 0be1fd45a0e2a5d9720db40e556e71ca7839d613fadff7db48c387998b26d2a6
Opcode Fuzzy Hash: 6bac092c7bd4a447726f27e58cbe7ebd35fb6d68b9bb76f1cc6776af271b649d
Instruction Fuzzy Hash: 7132D1B1A242168BDF28CF29C494B7D77A1EB45314F38866AD85ACB2D3D330DDA1DB41

Function 001B7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8464657374745adcc760df7067a4e7b618f012bd485f5264bac06ef67f80a1
Instruction ID: 37bdd381de4d2889b2520d36ce881dacca6485728b54df066711cd8ad17bbbcb
Opcode Fuzzy Hash: 8f8464657374745adcc760df7067a4e7b618f012bd485f5264bac06ef67f80a1
Instruction Fuzzy Hash: 1022C070A0460ADFDF14CF64D981AFEB7F2FF54300F244529E916AB291EB369951CB50

Function 001B91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc1dc07cd5f4f5f52856895f14fc6ed94c4f63fe7ce9bcb2f16df703d14b852
Instruction ID: 6d34e5de90774f37e13c1e4601aa512e93d86180c85304298d17039255bbbb86
Opcode Fuzzy Hash: bcc1dc07cd5f4f5f52856895f14fc6ed94c4f63fe7ce9bcb2f16df703d14b852
Instruction Fuzzy Hash: 440295B0E00209EBDB14DF64D881ABDB7F1FF54300F518169E91ADB2A1E731EA61CB91

Function 001D1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: c48789963009d7ab4b74ea28fc5caf0bf15c9e833e1b7f666499701d7ae29b57
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 8A9158736080A379DB2E467D857407EFFE25A923A131A079FD4F2CA2C5FF249554D620

Function 001D19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1b1939d33b7aed7b7307c01e4e8a709c6a6c59239a58c82db4313c4bd6facbca
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2E9120722090E36ADB2D467A857407EFFF15A923A231A079FD4F2CB2C5FF249564D620

Function 001D7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33da8e8d9ff18e2f1d0cccbcac7d6a67fae02e4f70867977fbf0f94094144d14
Instruction ID: 6562b2544c9fa858bca21a3c576b4970dbb35d534fcc406b058c4a7acae647f8
Opcode Fuzzy Hash: 33da8e8d9ff18e2f1d0cccbcac7d6a67fae02e4f70867977fbf0f94094144d14
Instruction Fuzzy Hash: 9061397160870A9ADE38AA2C8DA6BBF6394DF51704F18091FE842DB3C1F715DE42C355

Function 001D7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c109758b1f10ef58e77139d2ec30a3c57fa28db505fdff3df747e48051faeb
Instruction ID: bcf4b77f3d77ae32bcb001acc8d217d44d2335bef09b3d71ac73f8fc2a4781d9
Opcode Fuzzy Hash: b8c109758b1f10ef58e77139d2ec30a3c57fa28db505fdff3df747e48051faeb
Instruction Fuzzy Hash: 59617931208F0967DE395AA89896BBF639AEF52744F10095BE843DB3C1FB12ED42C355

Function 001D1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: b6634a502810563fe16009a6ddb4cd22453e79ec0c89e88fe0943de7fcd7ef5f
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 5F8173736080A339EB2D827A857403EFFE15A923A531A079FD4F2CA2D1EF249554E620

Function 002470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0024712F
GetSysColorBrush.USER32(0000000F), ref: 00247160
GetSysColor.USER32(0000000F), ref: 0024716C
SetBkColor.GDI32(?,000000FF), ref: 00247186
SelectObject.GDI32(?,?), ref: 00247195
InflateRect.USER32(?,000000FF,000000FF), ref: 002471C0
GetSysColor.USER32(00000010), ref: 002471C8
CreateSolidBrush.GDI32(00000000), ref: 002471CF
FrameRect.USER32(?,?,00000000), ref: 002471DE
DeleteObject.GDI32(00000000), ref: 002471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00247230
FillRect.USER32(?,?,?), ref: 00247262
GetWindowLongW.USER32(?,000000F0), ref: 00247284

Part of subcall function 002473E8: GetSysColor.USER32(00000012), ref: 00247421
Part of subcall function 002473E8: SetTextColor.GDI32(?,?), ref: 00247425
Part of subcall function 002473E8: GetSysColorBrush.USER32(0000000F), ref: 0024743B
Part of subcall function 002473E8: GetSysColor.USER32(0000000F), ref: 00247446
Part of subcall function 002473E8: GetSysColor.USER32(00000011), ref: 00247463
Part of subcall function 002473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00247471
Part of subcall function 002473E8: SelectObject.GDI32(?,00000000), ref: 00247482
Part of subcall function 002473E8: SetBkColor.GDI32(?,00000000), ref: 0024748B
Part of subcall function 002473E8: SelectObject.GDI32(?,?), ref: 00247498
Part of subcall function 002473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002474B7
Part of subcall function 002473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002474CE
Part of subcall function 002473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002474DB

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: cb2e5b9cdc459fa590244a0468f0d4c96ffab2635fcba54ed141deef14eacc5c
Instruction ID: 7def95dcbf423aacb879cbd135a8b816a2266d3f8197f66a02db37f33e4eae0e
Opcode Fuzzy Hash: cb2e5b9cdc459fa590244a0468f0d4c96ffab2635fcba54ed141deef14eacc5c
Instruction Fuzzy Hash: 96A1C176019302AFD755DF64EC4CE5B7BA9FB8A320F200A19F966A61E1D770E804CF51

Function 001C8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 001C8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00206AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00206AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00206F43

Part of subcall function 001C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001C8BE8,?,00000000,?,?,?,?,001C8BBA,00000000,?), ref: 001C8FC5

SendMessageW.USER32(?,00001053), ref: 00206F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00206F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00206FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00206FB7

Strings

0, xrefs: 00206DCF

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ce0a78f8d517e2a5a8c753cee482bcd0ade232c92fee3ba88e41582181d76983
Instruction ID: 78f6129fd8c85484ad84db5a4d0722c1efb38b78740b08aae6d795761c6bb1fe
Opcode Fuzzy Hash: ce0a78f8d517e2a5a8c753cee482bcd0ade232c92fee3ba88e41582181d76983
Instruction Fuzzy Hash: 85128B342112129FD725DF18D88CFA9B7E5FB55300F14446DE4959B6A2CB31E872CB91

Function 00232711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0023273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0023286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00232900
GetClientRect.USER32(00000000,?), ref: 0023290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00232955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00232964
GetStockObject.GDI32(00000011), ref: 00232974
SelectObject.GDI32(00000000,00000000), ref: 00232978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00232988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00232991
DeleteDC.GDI32(00000000), ref: 0023299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00232A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00232A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00232A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00232A77
GetStockObject.GDI32(00000011), ref: 00232A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00232A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00232A97

Strings

DISPLAY, xrefs: 0023295A
AutoIt v3, xrefs: 002328F8
static, xrefs: 0023294F, 00232A71
msctls_progress32, xrefs: 00232A13

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9c6eb3456334664fc3fc9a817437b18f30cadc281b05037dc8d3b9fd7f76162d
Instruction ID: 09bbf9ff278789bd029cef1896f36d7c4ce0493086846d1a6ce1caea1f011529
Opcode Fuzzy Hash: 9c6eb3456334664fc3fc9a817437b18f30cadc281b05037dc8d3b9fd7f76162d
Instruction Fuzzy Hash: 14B18DB5A11205AFEB14CF68DC89FAEBBA9EF49710F108554F915E72D0D770AD10CBA0

Function 00224ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00224AED
GetDriveTypeW.KERNEL32(?,0024CB68,?,\\.\,0024CC08), ref: 00224BCA
SetErrorMode.KERNEL32(00000000,0024CB68,?,\\.\,0024CC08), ref: 00224D36

Strings

Unknown, xrefs: 00224BED, 00224C83
Network, xrefs: 00224C02
Virtual, xrefs: 00224CE5
SAS, xrefs: 00224CC9
Removable, xrefs: 00224C10, 00224C15
USB, xrefs: 00224CB4
ATAPI, xrefs: 00224C91
MMC, xrefs: 00224CDE
SCSI, xrefs: 00224C8A
CDROM, xrefs: 00224BFB
\\.\, xrefs: 00224B3F
RAMDisk, xrefs: 00224BF4
RAID, xrefs: 00224CBB
Fibre, xrefs: 00224CAD
FileBackedVirtual, xrefs: 00224CEC
Fixed, xrefs: 00224C09
SSD, xrefs: 00224C4A
iSCSI, xrefs: 00224CC2
PhysicalDrive, xrefs: 00224B76
SSA, xrefs: 00224CA6
SATA, xrefs: 00224CD0
ATA, xrefs: 00224C98
1394, xrefs: 00224C9F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0274146051c978f02bf4ab68afa144ff2dcfc197f82adad935f34bfddc475d71
Instruction ID: 78a47ebf4a0a72566d02e02ee9af7d452ef26247b735143fd9490129711a07ec
Opcode Fuzzy Hash: 0274146051c978f02bf4ab68afa144ff2dcfc197f82adad935f34bfddc475d71
Instruction Fuzzy Hash: 3A610630631516FBCB15FFA8EA89DAC77A0AB15304B208117F80AAB651DFB1DD71DB41

Function 002473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00247421
SetTextColor.GDI32(?,?), ref: 00247425
GetSysColorBrush.USER32(0000000F), ref: 0024743B
GetSysColor.USER32(0000000F), ref: 00247446
CreateSolidBrush.GDI32(?), ref: 0024744B
GetSysColor.USER32(00000011), ref: 00247463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00247471
SelectObject.GDI32(?,00000000), ref: 00247482
SetBkColor.GDI32(?,00000000), ref: 0024748B
SelectObject.GDI32(?,?), ref: 00247498
InflateRect.USER32(?,000000FF,000000FF), ref: 002474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0024752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00247554
InflateRect.USER32(?,000000FD,000000FD), ref: 00247572
DrawFocusRect.USER32(?,?), ref: 0024757D
GetSysColor.USER32(00000011), ref: 0024758E
SetTextColor.GDI32(?,00000000), ref: 00247596
DrawTextW.USER32(?,002470F5,000000FF,?,00000000), ref: 002475A8
SelectObject.GDI32(?,?), ref: 002475BF
DeleteObject.GDI32(?), ref: 002475CA
SelectObject.GDI32(?,?), ref: 002475D0
DeleteObject.GDI32(?), ref: 002475D5
SetTextColor.GDI32(?,?), ref: 002475DB
SetBkColor.GDI32(?,?), ref: 002475E5

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: af4cad0a8b364f7cb8e04fb0d55716d3f4464efbe81f1e64ded3f36c0393b876
Instruction ID: c95b054ad0edc27fc79f1f8ded5dbd940df40a0e2b1e8e2dcdecda9992fd4293
Opcode Fuzzy Hash: af4cad0a8b364f7cb8e04fb0d55716d3f4464efbe81f1e64ded3f36c0393b876
Instruction Fuzzy Hash: 98618D76901218AFDF059FA8EC48EEEBFB9EB09320F214115F915BB2A1D7709950CF90

Function 00240FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00241128
GetDesktopWindow.USER32 ref: 0024113D
GetWindowRect.USER32(00000000), ref: 00241144
GetWindowLongW.USER32(?,000000F0), ref: 00241199
DestroyWindow.USER32(?), ref: 002411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0024120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0024121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00241232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00241245
IsWindowVisible.USER32(00000000), ref: 002412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002412D0
GetWindowRect.USER32(00000000,?), ref: 002412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0024130E
GetMonitorInfoW.USER32(00000000,?), ref: 00241328
CopyRect.USER32(?,?), ref: 0024133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002413AA

Strings

(, xrefs: 0024131B
tooltips_class32, xrefs: 002411E6
0, xrefs: 002410D3

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f0e6c0c226c742819b40a593ed9dc00ba6e9d012b42ea8646a7aaea0aa0b5f02
Instruction ID: 637eb4d2c7dfd4ce507133a0e8b6a44c462ddddde7990ff51f3b13c8bf78590f
Opcode Fuzzy Hash: f0e6c0c226c742819b40a593ed9dc00ba6e9d012b42ea8646a7aaea0aa0b5f02
Instruction Fuzzy Hash: 17B19F71618341AFD714DF64D888BAEBBE4FF85350F00891CF9999B261C771E8A4CB92

Function 00240241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002402E5
_wcslen.LIBCMT ref: 0024031F
_wcslen.LIBCMT ref: 00240389
_wcslen.LIBCMT ref: 002403F1
_wcslen.LIBCMT ref: 00240475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002404C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00240504

Part of subcall function 001CF9F2: _wcslen.LIBCMT ref: 001CF9FD

Part of subcall function 0021223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00212258
Part of subcall function 0021223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0021228A

Strings

GETSUBITEMCOUNT, xrefs: 00240384, 0024039F
VIEWCHANGE, xrefs: 00240675
GETTEXT, xrefs: 002403EC, 00240407
ISSELECTED, xrefs: 002404DD
SELECTALL, xrefs: 00240515
DESELECT, xrefs: 0024059C
GETITEMCOUNT, xrefs: 00240316, 00240337
SELECTCLEAR, xrefs: 0024052D
GETSELECTED, xrefs: 002405E1
GETSELECTEDCOUNT, xrefs: 00240470, 0024048B
SELECTINVERT, xrefs: 0024057E
FINDITEM, xrefs: 00240627
SELECT, xrefs: 00240548

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: ceda8b032ea4167727bf5c1290fd1fc7a028648494f973f9287602f37b440136
Instruction ID: 44d82011c00c2b3c85634ca5972f711c43aca066316ed27848f446f51ff591d7
Opcode Fuzzy Hash: ceda8b032ea4167727bf5c1290fd1fc7a028648494f973f9287602f37b440136
Instruction Fuzzy Hash: FDE1B1312282018FC728DF24C49196EB7E6FFE8714F14895DF9969B2A1D730ED95CB41

Function 001C8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001C8968
GetSystemMetrics.USER32(00000007), ref: 001C8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001C899B
GetSystemMetrics.USER32(00000008), ref: 001C89A3
GetSystemMetrics.USER32(00000004), ref: 001C89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001C89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001C89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 001C8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001C8A3C
GetClientRect.USER32(00000000,000000FF), ref: 001C8A5A
GetStockObject.GDI32(00000011), ref: 001C8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 001C8A81

Part of subcall function 001C912D: GetCursorPos.USER32(?), ref: 001C9141
Part of subcall function 001C912D: ScreenToClient.USER32(00000000,?), ref: 001C915E
Part of subcall function 001C912D: GetAsyncKeyState.USER32(00000001), ref: 001C9183
Part of subcall function 001C912D: GetAsyncKeyState.USER32(00000002), ref: 001C919D

SetTimer.USER32(00000000,00000000,00000028,001C90FC), ref: 001C8AA8

Strings

AutoIt v3 GUI, xrefs: 001C8A20

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: a4db1081700582d146d7de1892dda5d91c4f1d78ed6290e93548b2a69e73dd7f
Instruction ID: cc1b2412b02903e61bf42b64b6435610a61a8e82f3dd62e2246bd14777c7852c
Opcode Fuzzy Hash: a4db1081700582d146d7de1892dda5d91c4f1d78ed6290e93548b2a69e73dd7f
Instruction Fuzzy Hash: 9AB18E35A0120AAFDB14DFA8DC89FAE7BB5FB48314F114219FA15A72D0DB34E861CB51

Function 00210D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00211114
Part of subcall function 002110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211120
Part of subcall function 002110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 0021112F
Part of subcall function 002110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211136
Part of subcall function 002110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0021114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00210DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00210E29
GetLengthSid.ADVAPI32(?), ref: 00210E40
GetAce.ADVAPI32(?,00000000,?), ref: 00210E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00210E96
GetLengthSid.ADVAPI32(?), ref: 00210EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00210EB5
HeapAlloc.KERNEL32(00000000), ref: 00210EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00210EDD
CopySid.ADVAPI32(00000000), ref: 00210EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00210F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00210F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00210F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210F6E
HeapFree.KERNEL32(00000000), ref: 00210F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210F7E
HeapFree.KERNEL32(00000000), ref: 00210F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210F8E
HeapFree.KERNEL32(00000000), ref: 00210F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00210FA1
HeapFree.KERNEL32(00000000), ref: 00210FA8

Part of subcall function 00211193: GetProcessHeap.KERNEL32(00000008,00210BB1,?,00000000,?,00210BB1,?), ref: 002111A1
Part of subcall function 00211193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00210BB1,?), ref: 002111A8
Part of subcall function 00211193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00210BB1,?), ref: 002111B7

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a1208c8ab7df2cf7063b1084284dcc06e4d9bff7fbfcecda406b9feef5bbd131
Instruction ID: 453f19c41594488aa5121c04f109859ac183fa97beeb52fc56abc8ebcaad47dc
Opcode Fuzzy Hash: a1208c8ab7df2cf7063b1084284dcc06e4d9bff7fbfcecda406b9feef5bbd131
Instruction Fuzzy Hash: CE719E7190120AEBDF209FA5EC89FEEBBB8BF15300F144125F918E6191DB709996CB60

Function 0023C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0023C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0024CC08,00000000,?,00000000,?,?), ref: 0023C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0023C5A4
_wcslen.LIBCMT ref: 0023C5F4
_wcslen.LIBCMT ref: 0023C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0023C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0023C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0023C84D
RegCloseKey.ADVAPI32(?), ref: 0023C881
RegCloseKey.ADVAPI32(00000000), ref: 0023C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0023C960

Strings

REG_BINARY, xrefs: 0023C913
REG_QWORD, xrefs: 0023C8C3
REG_SZ, xrefs: 0023C644
REG_DWORD, xrefs: 0023C804
REG_MULTI_SZ, xrefs: 0023C6F5
REG_EXPAND_SZ, xrefs: 0023C5CD

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 562642a394e238168ac990f6326ef2b9232687cd22004bfed13c63d1aa32bd96
Instruction ID: 3191f8fc983922843e575ba1867f9aa6327a5f173dbd4b2ce052c6253787040b
Opcode Fuzzy Hash: 562642a394e238168ac990f6326ef2b9232687cd22004bfed13c63d1aa32bd96
Instruction Fuzzy Hash: 341279752142019FC725DF24D881B6AB7E5FF88714F14889DF88AAB3A2DB31ED41CB91

Function 0024091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002409C6
_wcslen.LIBCMT ref: 00240A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00240A54
_wcslen.LIBCMT ref: 00240A8A
_wcslen.LIBCMT ref: 00240B06
_wcslen.LIBCMT ref: 00240B81

Part of subcall function 001CF9F2: _wcslen.LIBCMT ref: 001CF9FD

Part of subcall function 00212BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00212BFA

Strings

GETITEMCOUNT, xrefs: 00240C1E
UNCHECK, xrefs: 00240D3E
GETSELECTED, xrefs: 00240C4E
GETTEXT, xrefs: 00240C97
EXPAND, xrefs: 00240BF8
CHECK, xrefs: 00240A85, 00240AA0
COLLAPSE, xrefs: 00240B01, 00240B1C
ISCHECKED, xrefs: 00240CE1
GETTOTALCOUNT, xrefs: 002409F2, 00240A17
EXISTS, xrefs: 00240B7C, 00240B97
SELECT, xrefs: 00240D11

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: d7e9c8074f480f4ad95f608280d27ec3ae1c3bb213d75719d1fc32630ad363b7
Instruction ID: ff3289be5f324cb407e500faf7a3525a23ea0c7072bc8db33269e0d0bb1484b5
Opcode Fuzzy Hash: d7e9c8074f480f4ad95f608280d27ec3ae1c3bb213d75719d1fc32630ad363b7
Instruction Fuzzy Hash: 7CE19031228702CFC718DF25C49196AB7E1FFA8318B14895DF9969B3A2D730ED95CB81

Function 0023C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0023B6AE,?,?), ref: 0023C9B5
_wcslen.LIBCMT ref: 0023C9F1
_wcslen.LIBCMT ref: 0023CA68
_wcslen.LIBCMT ref: 0023CA9E
_wcslen.LIBCMT ref: 0023CAF9
_wcslen.LIBCMT ref: 0023CB2F
_wcslen.LIBCMT ref: 0023CB7F

Strings

HKLM, xrefs: 0023CA98, 0023CA9D
HKEY_USERS, xrefs: 0023CBDF
HKEY_LOCAL_MACHINE, xrefs: 0023CA62, 0023CA67
HKEY_CLASSES_ROOT, xrefs: 0023CAF3, 0023CAF8
HKEY_CURRENT_CONFIG, xrefs: 0023CB79, 0023CB7E
HKCU, xrefs: 0023CBCE
HKCC, xrefs: 0023CBAC
HKCR, xrefs: 0023CB29, 0023CB2E
HKEY_CURRENT_USER, xrefs: 0023CBBD
HKU, xrefs: 0023CBF0

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f57e469b364f0f11036e18846a9ca35a52a1e6fac696e33da2458975cb492abd
Instruction ID: f863c96155db8fbef13fb79996d5df50cfaa2d5bc2d068f3f732d002205cdc64
Opcode Fuzzy Hash: f57e469b364f0f11036e18846a9ca35a52a1e6fac696e33da2458975cb492abd
Instruction Fuzzy Hash: 9F71E2B263012B8BCB20DE6CCD515BE7396AB70758F314529F856B7284EB31CD65C3A0

Function 0024833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0024835A
_wcslen.LIBCMT ref: 0024836E
_wcslen.LIBCMT ref: 00248391
_wcslen.LIBCMT ref: 002483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00245BF2), ref: 0024844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00248487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00248501
FreeLibrary.KERNEL32(?), ref: 0024850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0024851D
DestroyIcon.USER32(?,?,?,?,?,00245BF2), ref: 0024852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00248549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00248555

Strings

.exe, xrefs: 00248388
.icl, xrefs: 00248368
.dll, xrefs: 002483AB

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: d6329d4a685f7e9fa46cc4f314426d0caf0af2fcd30e4be36549d8f922bd1fb0
Instruction ID: 3d86fa4ac5e74ab2a9d74534d540c6f87d0bd264d2f8d40a1d0ac63f7c816c64
Opcode Fuzzy Hash: d6329d4a685f7e9fa46cc4f314426d0caf0af2fcd30e4be36549d8f922bd1fb0
Instruction Fuzzy Hash: 2E610571920216BFEB18CF64DC85BBE77ACBF08710F104509F815DA1D1DBB499A0CBA0

Function 001B7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#notrayicon, xrefs: 001B77E7
#include, xrefs: 001B7847
#comments-start, xrefs: 001B785F, 001B78B1
", xrefs: 001F5153
Cannot parse #include, xrefs: 001F5279
#comments-end, xrefs: 001B78D9
#cs, xrefs: 001B7873, 001B78C5
#pragma compile, xrefs: 001B77D3
Bad directive syntax error, xrefs: 001F519A
Unterminated group of comments, xrefs: 001F528C
#requireadmin, xrefs: 001B77FF
#include-once, xrefs: 001B782F
#OnAutoItStartRegister, xrefs: 001B7817
', xrefs: 001F5169
#ce, xrefs: 001B78ED

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 25b42ab0856473ea01989399fae1c34e3b8b29a7cc973d6af43adf76598d94e9
Instruction ID: a70f28ea29c76758f53dd9e37cc4541ac1b111cad1942b557d66b3bc147c3503
Opcode Fuzzy Hash: 25b42ab0856473ea01989399fae1c34e3b8b29a7cc973d6af43adf76598d94e9
Instruction Fuzzy Hash: E5812971604609BBDB24BF60DC46FFE37A9AFA5300F054025FA05AB1D6EB70D912DB91

Function 00215A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00215A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00215A40
SetWindowTextW.USER32(?,?), ref: 00215A57
GetDlgItem.USER32(?,000003EA), ref: 00215A6C
SetWindowTextW.USER32(00000000,?), ref: 00215A72
GetDlgItem.USER32(?,000003E9), ref: 00215A82
SetWindowTextW.USER32(00000000,?), ref: 00215A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00215AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00215AC3
GetWindowRect.USER32(?,?), ref: 00215ACC
_wcslen.LIBCMT ref: 00215B33
SetWindowTextW.USER32(?,?), ref: 00215B6F
GetDesktopWindow.USER32 ref: 00215B75
GetWindowRect.USER32(00000000), ref: 00215B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00215BD3
GetClientRect.USER32(?,?), ref: 00215BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00215C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00215C2F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 3bc292fdb6c4aa1ad6d6e92087591a82ba2297885469015de63ba97369d7d3e3
Instruction ID: cafc013e1e4d4c1721260d12b6f0905ec29dac560a21e513877eef58a1d34880
Opcode Fuzzy Hash: 3bc292fdb6c4aa1ad6d6e92087591a82ba2297885469015de63ba97369d7d3e3
Instruction Fuzzy Hash: 2871A031910B1AEFCB20DFA8CD89AAEBBF5FF98704F104558E142A21A4D775E990CF50

Function 002130F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0021318D
_wcslen.LIBCMT ref: 002131F8

Strings

INSTANCE, xrefs: 00213453
CLASSNN, xrefs: 002131F3, 00213204
[', xrefs: 0021339A
REGEXPCLASS, xrefs: 00213255, 00213266
TEXT, xrefs: 0021347C
NAME, xrefs: 00213335, 00213346
CLASS, xrefs: 00213188, 002131A5

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$['
API String ID: 176396367-1161093653
Opcode ID: 605a1aa2824888cfc11107a862e9890e62f9cd835430cabace3d8e4f548c2a57
Instruction ID: bedc71f2379769c7d5acb46b9ff1f6749f869e1fc8798f31b8e4a07b05508112
Opcode Fuzzy Hash: 605a1aa2824888cfc11107a862e9890e62f9cd835430cabace3d8e4f548c2a57
Instruction Fuzzy Hash: 39E1F532A20516ABCB18DF68C4516EDFBF6BF34710F54812AE456E7240DB70AEE5C790

Function 001D00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001D00C6

Part of subcall function 001D00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0028070C,00000FA0,FFA38C04,?,?,?,?,001F23B3,000000FF), ref: 001D011C
Part of subcall function 001D00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001F23B3,000000FF), ref: 001D0127
Part of subcall function 001D00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001F23B3,000000FF), ref: 001D0138
Part of subcall function 001D00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 001D014E
Part of subcall function 001D00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 001D015C
Part of subcall function 001D00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001D016A
Part of subcall function 001D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001D0195
Part of subcall function 001D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001D01A0

___scrt_fastfail.LIBCMT ref: 001D00E7

Part of subcall function 001D00A3: __onexit.LIBCMT ref: 001D00A9

Strings

InitializeConditionVariable, xrefs: 001D0148
kernel32.dll, xrefs: 001D0133
WakeAllConditionVariable, xrefs: 001D0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 001D0122
SleepConditionVariableCS, xrefs: 001D0154

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 28d19ff3bf0581b2a7db9319fdc32e534db24ff48b0140a6689e018abe171379
Instruction ID: e16bc757f1e7f881b724917a1ebc8c83ba4b559205892fdde4de08e307b6ab1d
Opcode Fuzzy Hash: 28d19ff3bf0581b2a7db9319fdc32e534db24ff48b0140a6689e018abe171379
Instruction Fuzzy Hash: 52210836A46710ABE7566BA8BC4DF6A73D4EB5EB51F11013BF805E2391DB70DC008AA0

Function 002244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0024CC08), ref: 00224527
_wcslen.LIBCMT ref: 0022453B
_wcslen.LIBCMT ref: 00224599
_wcslen.LIBCMT ref: 002245F4
_wcslen.LIBCMT ref: 0022463F
_wcslen.LIBCMT ref: 002246A7

Part of subcall function 001CF9F2: _wcslen.LIBCMT ref: 001CF9FD

GetDriveTypeW.KERNEL32(?,00276BF0,00000061), ref: 00224743

Strings

ramdisk, xrefs: 002246F1
removable, xrefs: 002245EA, 002245EF
unknown, xrefs: 00224708
network, xrefs: 0022469D, 002246A2
all, xrefs: 00224531, 00224536
fixed, xrefs: 00224635, 0022463A
cdrom, xrefs: 0022458F, 00224594

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 93e4cd8ef3913dbd60dbc7380e9701d6694e40fa36dbf400185445141b276b76
Instruction ID: 37ae94d9bbafb2168af25778fafcb330e53fca78d9c4d6c2e2b15e062e7e8716
Opcode Fuzzy Hash: 93e4cd8ef3913dbd60dbc7380e9701d6694e40fa36dbf400185445141b276b76
Instruction Fuzzy Hash: B7B13531628322AFC710EF68E890A7EB7E5BFA6724F50491DF496C7291D730D864CB52

Function 0024911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

DragQueryPoint.SHELL32(?,?), ref: 00249147

Part of subcall function 00247674: ClientToScreen.USER32(?,?), ref: 0024769A
Part of subcall function 00247674: GetWindowRect.USER32(?,?), ref: 00247710
Part of subcall function 00247674: PtInRect.USER32(?,?,00248B89), ref: 00247720

SendMessageW.USER32(?,000000B0,?,?), ref: 002491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00249225
SendMessageW.USER32(?,000000B0,?,?), ref: 0024923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00249255
SendMessageW.USER32(?,000000B1,?,?), ref: 00249277
DragFinish.SHELL32(?), ref: 0024927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00249371

Strings

@GUI_DRAGID, xrefs: 002492E9
@GUI_DROPID, xrefs: 0024929E
p#(, xrefs: 002492BB
@GUI_DRAGFILE, xrefs: 00249320

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#(
API String ID: 221274066-1174176935
Opcode ID: f766f7371d3aa884714119bba6381c33fefe991f451cb7e9392bac650a725e1d
Instruction ID: e0d7282aa567043e954ef243a38fdd2a25194b486d3026c3009149cb718eee0d
Opcode Fuzzy Hash: f766f7371d3aa884714119bba6381c33fefe991f451cb7e9392bac650a725e1d
Instruction Fuzzy Hash: 65619871108301AFC305EF64DC89DAFBBE8EF99750F10092EF995921A0DB709A59CB92

Function 001B326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00281990), ref: 001F2F8D
GetMenuItemCount.USER32(00281990), ref: 001F303D
GetCursorPos.USER32(?), ref: 001F3081
SetForegroundWindow.USER32(00000000), ref: 001F308A
TrackPopupMenuEx.USER32(00281990,00000000,?,00000000,00000000,00000000), ref: 001F309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001F30A9

Strings

0, xrefs: 001B327D

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: bb05127660b5de6c3fe2c5513e3d9e52c1e978635fcf6a0d1090624aff19e6ee
Instruction ID: 73fd9e257beca4bc953a0bbf5c8e73ce1de4c711a34b9650e8a52f0eec7d834d
Opcode Fuzzy Hash: bb05127660b5de6c3fe2c5513e3d9e52c1e978635fcf6a0d1090624aff19e6ee
Instruction Fuzzy Hash: 3671FC70641209BEEB258F68DC49FEABF64FF05364F204216F625AA1D1C7B1AD60DB90

Function 00246CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00246DEB

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00246E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00246E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00246E94
DestroyWindow.USER32(?), ref: 00246EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001B0000,00000000), ref: 00246EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00246EFD
GetDesktopWindow.USER32 ref: 00246F16
GetWindowRect.USER32(00000000), ref: 00246F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00246F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00246F4D

Part of subcall function 001C9944: GetWindowLongW.USER32(?,000000EB), ref: 001C9952

Strings

tooltips_class32, xrefs: 00246E58, 00246EDD
0, xrefs: 00246D98

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 491b547d539eea75553d6e7bd62aa562002aeb15ab1a08e92909f53a65ad3f88
Instruction ID: ca920b9645be6ad03f6fa36d106eafec4a8789de188294686053a8fb7a0ed36d
Opcode Fuzzy Hash: 491b547d539eea75553d6e7bd62aa562002aeb15ab1a08e92909f53a65ad3f88
Instruction Fuzzy Hash: 51716D74114341AFDB29CF18E848EA6BBE9FB8A304F14441DF99987261C771A91ACB12

Function 0022C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0022C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0022C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0022C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0022C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0022C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0022C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0022C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0022C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0022C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0022C5F0
InternetCloseHandle.WININET(00000000), ref: 0022C5FB

Strings

, xrefs: 0022C575

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 99be4097b0bfd9db16d417c7304207fd13788054a31b283d00a6d019be8f2e6c
Instruction ID: 7493dc16f6aa985d18119a75e45ed99f127bd3f1bd66a56e41d0a3e8260dbb98
Opcode Fuzzy Hash: 99be4097b0bfd9db16d417c7304207fd13788054a31b283d00a6d019be8f2e6c
Instruction Fuzzy Hash: CA518BB4110619BFDB219FA4ED88AAF7BFCFF09354F20441AF945A6210DB74E924DB60

Function 0024856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00248592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002485A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002485AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002485BA
GlobalLock.KERNEL32(00000000), ref: 002485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002485D7
GlobalUnlock.KERNEL32(00000000), ref: 002485E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002485F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0024FC38,?), ref: 00248611
GlobalFree.KERNEL32(00000000), ref: 00248621
GetObjectW.GDI32(?,00000018,?), ref: 00248641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00248671
DeleteObject.GDI32(?), ref: 00248699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002486AF

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1659299be8fc7464ef15ba6605c1627f1798062a12b75b3c3b1a31a73d47d414
Instruction ID: b043049b0dc04346f42896d53f9e8cd942e8831ceba4e0ec676bdf7ea1d2993d
Opcode Fuzzy Hash: 1659299be8fc7464ef15ba6605c1627f1798062a12b75b3c3b1a31a73d47d414
Instruction Fuzzy Hash: 32412B75611205AFDB55DFA9DC4CEAE7BBCEF8AB11F114058F909E7260DB709901CB20

Function 002214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00221502
VariantCopy.OLEAUT32(?,?), ref: 0022150B
VariantClear.OLEAUT32(?), ref: 00221517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002215FB
VarR8FromDec.OLEAUT32(?,?), ref: 00221657
VariantInit.OLEAUT32(?), ref: 00221708
SysFreeString.OLEAUT32(?), ref: 0022178C
VariantClear.OLEAUT32(?), ref: 002217D8
VariantClear.OLEAUT32(?), ref: 002217E7
VariantInit.OLEAUT32(00000000), ref: 00221823

Strings

Default, xrefs: 002216AF
%4d%02d%02d%02d%02d%02d, xrefs: 00221625

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: eb9dafacfc33aeedf678653bd4bacab923004d96aea6a3acd81f44d0c646a135
Instruction ID: 33d4c7d1c25eda0e86a973d0267ad0153fef9f4ff8d4fbfc5c73b894aab90bb6
Opcode Fuzzy Hash: eb9dafacfc33aeedf678653bd4bacab923004d96aea6a3acd81f44d0c646a135
Instruction Fuzzy Hash: 34D1CF71A20225EBDB109FA5E885FB9B7B5BF65700F60809AF406AB180DB70DC71DB61

Function 0023B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 0023C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0023B6AE,?,?), ref: 0023C9B5
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023C9F1
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA68
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0023B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0023B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0023B80A
RegCloseKey.ADVAPI32(?), ref: 0023B87E
RegCloseKey.ADVAPI32(?), ref: 0023B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0023B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0023B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0023B922
FreeLibrary.KERNEL32(00000000), ref: 0023B983
RegCloseKey.ADVAPI32(00000000), ref: 0023B994

Strings

RegDeleteKeyExW, xrefs: 0023B8FE
advapi32.dll, xrefs: 0023B8ED

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 1021918b6220015177b5548e9f39b572e3eda75e25c0dc1ff72e35c6e0fa9f61
Instruction ID: 00b33d6b89ed187847007b9f62d0fdadced01b0a5fbb67d2357976750793b978
Opcode Fuzzy Hash: 1021918b6220015177b5548e9f39b572e3eda75e25c0dc1ff72e35c6e0fa9f61
Instruction Fuzzy Hash: 5FC18B75214202AFD711DF18C495F6ABBE5FF84308F24849CF69A8B2A2CB71EC45CB91

Function 0023255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002325E8
CreateCompatibleDC.GDI32(?), ref: 002325F4
SelectObject.GDI32(00000000,?), ref: 00232601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0023266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002326D0
SelectObject.GDI32(?,?), ref: 002326D8
DeleteObject.GDI32(?), ref: 002326E1
DeleteDC.GDI32(?), ref: 002326E8
ReleaseDC.USER32(00000000,?), ref: 002326F3

Strings

(, xrefs: 0023268D

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7311156910da9a72a4bfd4dc01c0298a6a96b4e94c9de12a3aa85f2ab58dbda6
Instruction ID: a7d46dd2f288788500101e04991f131855e1f88b03fd6a95453f2319c70eddf6
Opcode Fuzzy Hash: 7311156910da9a72a4bfd4dc01c0298a6a96b4e94c9de12a3aa85f2ab58dbda6
Instruction Fuzzy Hash: 5C61F3B5D11219EFCF04CFA8D885EAEBBB9FF48310F208529E959A7250D770A951CF50

Function 001EDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 001EDAA1

Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED659
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED66B
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED67D
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED68F
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6A1
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6B3
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6C5
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6D7
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6E9
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6FB
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED70D
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED71F
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED731

_free.LIBCMT ref: 001EDA96

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001EDAB8
_free.LIBCMT ref: 001EDACD
_free.LIBCMT ref: 001EDAD8
_free.LIBCMT ref: 001EDAFA
_free.LIBCMT ref: 001EDB0D
_free.LIBCMT ref: 001EDB1B
_free.LIBCMT ref: 001EDB26
_free.LIBCMT ref: 001EDB5E
_free.LIBCMT ref: 001EDB65
_free.LIBCMT ref: 001EDB82
_free.LIBCMT ref: 001EDB9A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 472f95c058f55951b27b7dbc2d5623eb1fdaaa81e03d3cec154e40830c120d6c
Instruction ID: 6226d0d098318982a14b1d1415d21a4421928ed2f58b0d42cdc3c93da7b6f376
Opcode Fuzzy Hash: 472f95c058f55951b27b7dbc2d5623eb1fdaaa81e03d3cec154e40830c120d6c
Instruction Fuzzy Hash: 23318D31604B889FEB25AA3AF846B5EB7E8FF61314F125429E458D7192EF35ED40C720

Function 0021365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0021369C
_wcslen.LIBCMT ref: 002136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00213797
GetClassNameW.USER32(?,?,00000400), ref: 0021380C
GetDlgCtrlID.USER32(?), ref: 0021385D
GetWindowRect.USER32(?,?), ref: 00213882
GetParent.USER32(?), ref: 002138A0
ScreenToClient.USER32(00000000), ref: 002138A7
GetClassNameW.USER32(?,?,00000100), ref: 00213921
GetWindowTextW.USER32(?,?,00000400), ref: 0021395D

Strings

%s%u, xrefs: 00213734

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b977841c9a8ccfcafd47798db661826edb64da5c4ae95fb42790d55549334f63
Instruction ID: 38579a3cc89ab395ca69347fe948bd402fba1046348a299942d1b62aae4ef309
Opcode Fuzzy Hash: b977841c9a8ccfcafd47798db661826edb64da5c4ae95fb42790d55549334f63
Instruction Fuzzy Hash: 7F91D071214607AFD718DF24C884BEAF7EAFF64310F108529F999D2190DB30AAA5CB91

Function 00214954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00214994
GetWindowTextW.USER32(?,?,00000400), ref: 002149DA
_wcslen.LIBCMT ref: 002149EB
CharUpperBuffW.USER32(?,00000000), ref: 002149F7
_wcsstr.LIBVCRUNTIME ref: 00214A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00214A64
GetWindowTextW.USER32(?,?,00000400), ref: 00214A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00214AE6
GetClassNameW.USER32(?,?,00000400), ref: 00214B20
GetWindowRect.USER32(?,?), ref: 00214B8B

Strings

ThumbnailClass, xrefs: 00214A6F, 00214AF1

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 499f4a9d32af5780d6d0c62d10a1772e83bf68556aa09a9fd98f8e985b801ebf
Instruction ID: d55962fa9efa30eda4bc72f725f6e693c087af852f152f18da3081170258ee8b
Opcode Fuzzy Hash: 499f4a9d32af5780d6d0c62d10a1772e83bf68556aa09a9fd98f8e985b801ebf
Instruction Fuzzy Hash: 9491E6714182069FDB04EF14C885FEA77E8FFA4314F04846AFD899A195DB30ED95CBA1

Function 00248D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00248D5A
GetFocus.USER32 ref: 00248D6A
GetDlgCtrlID.USER32(00000000), ref: 00248D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00248E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00248ECF
GetMenuItemCount.USER32(?), ref: 00248EEC
GetMenuItemID.USER32(?,00000000), ref: 00248EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00248F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00248F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00248FA1

Strings

0, xrefs: 00248E9F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 6ecf314d6806df1a72d60704e9ecaad98167448ccd7234042d3759e6c8de3cac
Instruction ID: a2b57567d4dcd73dcabab47598acf42912a1700b3e0c7c0d590f4b47107273df
Opcode Fuzzy Hash: 6ecf314d6806df1a72d60704e9ecaad98167448ccd7234042d3759e6c8de3cac
Instruction Fuzzy Hash: 8681E2716243029FD718CF24D888AAF7BE9FF99714F10051DF98497291DB70D915CB62

Function 0021DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0021DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0021DC46
_wcslen.LIBCMT ref: 0021DC50
_wcsstr.LIBVCRUNTIME ref: 0021DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0021DCBC

Strings

\VarFileInfo\Translation, xrefs: 0021DCB4
DefaultLangCodepage, xrefs: 0021DD1F
04090000, xrefs: 0021DCF2
StringFileInfo\, xrefs: 0021DC8F
%u.%u.%u.%u, xrefs: 0021DD9A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 6f2cb981486047a4954977bd9feb86e13eaecd7fa8fc7043743f5f288707923d
Instruction ID: a4383155533918a1d6665c0a92298a850bde1041470b356048e625e7357f590d
Opcode Fuzzy Hash: 6f2cb981486047a4954977bd9feb86e13eaecd7fa8fc7043743f5f288707923d
Instruction Fuzzy Hash: CE411572A50205BBDB04AB64AC47FFF77ACDF76710F10406AF900A6283EB75D92187A5

Function 0023CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0023CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0023CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0023CD48

Part of subcall function 0023CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0023CCAA
Part of subcall function 0023CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0023CCBD
Part of subcall function 0023CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0023CCCF
Part of subcall function 0023CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0023CD05
Part of subcall function 0023CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0023CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0023CCF3

Strings

RegDeleteKeyExW, xrefs: 0023CCC9
advapi32.dll, xrefs: 0023CCB8

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 33dfd53b0f9f20fcb2fc340df5d9b6c30200ccb970d5b046a10299411caf4655
Instruction ID: 65dce5a3101846f573bd250dd2fd63110a448a4e3d3bce01931e5d1fd2c93db6
Opcode Fuzzy Hash: 33dfd53b0f9f20fcb2fc340df5d9b6c30200ccb970d5b046a10299411caf4655
Instruction Fuzzy Hash: 163180B5A12129BBD7218F54DC8CEFFBB7CEF06750F200565B909E2240DA749A45DBA0

Function 0021E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0021E6B4

Part of subcall function 001CE551: timeGetTime.WINMM(?,?,0021E6D4), ref: 001CE555

Sleep.KERNEL32(0000000A), ref: 0021E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0021E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0021E727
SetActiveWindow.USER32 ref: 0021E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0021E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0021E773
Sleep.KERNEL32(000000FA), ref: 0021E77E
IsWindow.USER32 ref: 0021E78A
EndDialog.USER32(00000000), ref: 0021E79B

Strings

BUTTON, xrefs: 0021E719

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3703bdfe342d855166d4a78aff78a403ba1d3db4de63bcc4d09b1365a6755b28
Instruction ID: c4d0492fa75bc82b517ab2e046fa09a7e75b892ac5e3e138c9294d627f24f854
Opcode Fuzzy Hash: 3703bdfe342d855166d4a78aff78a403ba1d3db4de63bcc4d09b1365a6755b28
Instruction Fuzzy Hash: B121D4B8212251EFFF005F24FC8DE667BEDF7A6349B254424FC05811A1EB719C648B10

Function 0021E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0021EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0021EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0021EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0021EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0021EAA7

Strings

alias PlayMe, xrefs: 0021EA36
open , xrefs: 0021EA0C
status PlayMe mode, xrefs: 0021EA58
close PlayMe, xrefs: 0021EA6E, 0021EA9B
play PlayMe, xrefs: 0021EAA2
play PlayMe wait, xrefs: 0021EA91

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: c8d7a16d04e64da5af5bc0091587a5b84b6764623025f7e270e62a41067429d0
Instruction ID: 631b575a2fac57cda5917ce7e49edd5b58daecb68e4aedc4eaf31793fcb71afc
Opcode Fuzzy Hash: c8d7a16d04e64da5af5bc0091587a5b84b6764623025f7e270e62a41067429d0
Instruction Fuzzy Hash: B6117731A6025979D710A761DC4EDFF6EBCEFE2F00F444425B915A20D1DF700955C5B0

Function 00215CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00215CE2
GetWindowRect.USER32(00000000,?), ref: 00215CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00215D59
GetDlgItem.USER32(?,00000002), ref: 00215D69
GetWindowRect.USER32(00000000,?), ref: 00215D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00215DCF
GetDlgItem.USER32(?,000003E9), ref: 00215DDD
GetWindowRect.USER32(00000000,?), ref: 00215DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00215E31
GetDlgItem.USER32(?,000003EA), ref: 00215E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00215E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00215E67

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d2975d5b33af116177e693d82738ec977d226f35c83a6df01880e3627213db93
Instruction ID: 2c20c6b3ea160d03886374d2e626c81285dbfe1e255b7cdc9ad5696c20d4bb5e
Opcode Fuzzy Hash: d2975d5b33af116177e693d82738ec977d226f35c83a6df01880e3627213db93
Instruction Fuzzy Hash: 58514E74B10615AFDF18CF68DD89AAEBBF9FB98300F208128F905E6290D7709E50CB50

Function 001C8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 001C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001C8BE8,?,00000000,?,?,?,?,001C8BBA,00000000,?), ref: 001C8FC5

DestroyWindow.USER32(?), ref: 001C8C81
KillTimer.USER32(00000000,?,?,?,?,001C8BBA,00000000,?), ref: 001C8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00206973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,001C8BBA,00000000,?), ref: 002069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,001C8BBA,00000000,?), ref: 002069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,001C8BBA,00000000), ref: 002069D4
DeleteObject.GDI32(00000000), ref: 002069E6

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 9ac24c4aca136cefb8c6d1b54d314fecd3d6cb390b4b1c1f0fc39f1e40d63c19
Instruction ID: ef17be26b1df8e0a766dddff4a015aba2b9e8d0bae6c34a4adcdc7d21226dadf
Opcode Fuzzy Hash: 9ac24c4aca136cefb8c6d1b54d314fecd3d6cb390b4b1c1f0fc39f1e40d63c19
Instruction Fuzzy Hash: 5B61B934112701DFDB259F18E98CB6AB7B1FB61312F24441CE0429B9A0CB35ECA1DFA8

Function 001C9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 001C9944: GetWindowLongW.USER32(?,000000EB), ref: 001C9952

GetSysColor.USER32(0000000F), ref: 001C9862

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a6dd89755ea0146d73212460bbcf526f77a36cec3922419f9b12021321947b90
Instruction ID: adce8a2564826bdb0137e0d76bb4255f16374120ab9b5ed4e340e7d16b4f33b0
Opcode Fuzzy Hash: a6dd89755ea0146d73212460bbcf526f77a36cec3922419f9b12021321947b90
Instruction Fuzzy Hash: 07419E35505644AFDB205F38AC8CFB93BA5AB27330F244659F9A68B2E2C731DD42DB10

Function 002196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,001FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00219717
LoadStringW.USER32(00000000,?,001FF7F8,00000001), ref: 00219720

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,001FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00219742
LoadStringW.USER32(00000000,?,001FF7F8,00000001), ref: 00219745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00219866

Strings

Error: , xrefs: 0021981D
Line %d:, xrefs: 002197A0
%s (%d) : ==> %s: %s %s, xrefs: 0021984A
^ ERROR, xrefs: 002197FB
Line %d (File "%s"):, xrefs: 0021978F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: be3827e604d58f1c5e1d37d57891ecee29c47267efd0a6bbdf6b62cb9f029068
Instruction ID: 54a24c927cc19622da41b2337615a56603653c4a86a9a489c799ff4e1c25e7f1
Opcode Fuzzy Hash: be3827e604d58f1c5e1d37d57891ecee29c47267efd0a6bbdf6b62cb9f029068
Instruction Fuzzy Hash: 22414172800219ABCF14EBE4DD96DEEB7B8AF65340F600065F60572092EB356F99CF61

Function 00233C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00233C5C
CoInitialize.OLE32(00000000), ref: 00233C8A
CoUninitialize.OLE32 ref: 00233C94
_wcslen.LIBCMT ref: 00233D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00233DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00233ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00233F0E
CoGetObject.OLE32(?,00000000,0024FB98,?), ref: 00233F2D
SetErrorMode.KERNEL32(00000000), ref: 00233F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00233FC4
VariantClear.OLEAUT32(?), ref: 00233FD8

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 68c8a46cd9600ccd1d3bb811b45e89f97b6a99c5b386a729646f59971f061336
Instruction ID: 1ddfb7c801ae78a155f84695929ee35e17b351769c74e92898e0b9d2306a0768
Opcode Fuzzy Hash: 68c8a46cd9600ccd1d3bb811b45e89f97b6a99c5b386a729646f59971f061336
Instruction Fuzzy Hash: 24C166B16183059FD700DF68C88496BBBE9FF89748F10491DF98A9B220D770EE15CB52

Function 00227A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00227AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00227B8F
SHGetDesktopFolder.SHELL32(?), ref: 00227BA3
CoCreateInstance.OLE32(0024FD08,00000000,00000001,00276E6C,?), ref: 00227BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00227C74
CoTaskMemFree.OLE32(?,?), ref: 00227CCC
SHBrowseForFolderW.SHELL32(?), ref: 00227D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00227D7A
CoTaskMemFree.OLE32(00000000), ref: 00227D81
CoTaskMemFree.OLE32(00000000), ref: 00227DD6
CoUninitialize.OLE32 ref: 00227DDC

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 3950bc4ea617b11fadf8aff84bced340b1f70ebea1e3d418f9d256a171f22382
Instruction ID: cd001a73c38ea2e1797249d16a38ebc827d21094ce167b8652bfd952f4626254
Opcode Fuzzy Hash: 3950bc4ea617b11fadf8aff84bced340b1f70ebea1e3d418f9d256a171f22382
Instruction Fuzzy Hash: A9C11B75A14119AFCB14DFA4D888DAEBBF9FF48304B148499F81A9B261D730ED41CB90

Function 0024541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00245504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00245515
CharNextW.USER32(00000158), ref: 00245544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00245585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0024559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002455AC

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 0f95e3d83770feb5053db2f9d4ca95b9a909677db340efb5e5dc3f3111c7fbd3
Instruction ID: 6c4218c37c53487ecdd2259cb9912860c38e8aae803e205218ea8abb2e5ff842
Opcode Fuzzy Hash: 0f95e3d83770feb5053db2f9d4ca95b9a909677db340efb5e5dc3f3111c7fbd3
Instruction Fuzzy Hash: F161C334925629EFDF188F54CC849FE7B79FF06320F108145F9A5AB292D7748AA0DB60

Function 0020FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0020FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0020FB08
VariantInit.OLEAUT32(?), ref: 0020FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0020FB3A
VariantCopy.OLEAUT32(?,?), ref: 0020FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0020FBA1
VariantClear.OLEAUT32(?), ref: 0020FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0020FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0020FBCC
VariantClear.OLEAUT32(?), ref: 0020FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0020FBE9

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a5d9b8c03863fbd4243f8919359c783288f565899c6836beda65ad28c1f71176
Instruction ID: ad3150d60a9b3957c5b598f33dd8ad57e55c5a23e1110fe32b471436d110531d
Opcode Fuzzy Hash: a5d9b8c03863fbd4243f8919359c783288f565899c6836beda65ad28c1f71176
Instruction Fuzzy Hash: CA418F34A10219DFCB50DFA8D9589AEBBB9EF08344F108069E905A7262DB30E945CFA0

Function 00219C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00219CA1
GetAsyncKeyState.USER32(000000A0), ref: 00219D22
GetKeyState.USER32(000000A0), ref: 00219D3D
GetAsyncKeyState.USER32(000000A1), ref: 00219D57
GetKeyState.USER32(000000A1), ref: 00219D6C
GetAsyncKeyState.USER32(00000011), ref: 00219D84
GetKeyState.USER32(00000011), ref: 00219D96
GetAsyncKeyState.USER32(00000012), ref: 00219DAE
GetKeyState.USER32(00000012), ref: 00219DC0
GetAsyncKeyState.USER32(0000005B), ref: 00219DD8
GetKeyState.USER32(0000005B), ref: 00219DEA

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ab7ef7fc3893c492ee78a0c32f8ee01a9bac2f37495dec1002e4b04ec5c98707
Instruction ID: 5d93aa0374ed999909f105a1460034625b23b274c3413fc7236f3049a05f97ad
Opcode Fuzzy Hash: ab7ef7fc3893c492ee78a0c32f8ee01a9bac2f37495dec1002e4b04ec5c98707
Instruction Fuzzy Hash: B34108346147CB69FF309F64D4243F5BEE0AB36304F48805ADAC6561C2D7A599E4C7A2

Function 0023055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002305BC
inet_addr.WSOCK32(?), ref: 0023061C
gethostbyname.WSOCK32(?), ref: 00230628
IcmpCreateFile.IPHLPAPI ref: 00230636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002307B9
WSACleanup.WSOCK32 ref: 002307BF

Strings

Ping, xrefs: 00230676

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 6e2f1076def08103003b1bbf0837dc809a0f59419d9933d16b36ffe9813c8790
Instruction ID: 950d2d4d89f9f151f47e2a4cbdf0ae918df4518ff86bf8680329cca60bc01013
Opcode Fuzzy Hash: 6e2f1076def08103003b1bbf0837dc809a0f59419d9933d16b36ffe9813c8790
Instruction Fuzzy Hash: E2919EB56142029FD320DF19D4D9F1ABBE4BF44318F1485A9F46A8B6A2C770EC51CFA1

Function 00238CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00238CF3

Part of subcall function 00218E54: _wcslen.LIBCMT ref: 00218E77

_wcslen.LIBCMT ref: 00238D4E
_wcslen.LIBCMT ref: 00238D9C
_wcslen.LIBCMT ref: 00238DDC
_wcslen.LIBCMT ref: 00238E6E

Strings

winapi, xrefs: 00238D96, 00238D9B
none, xrefs: 00238E65, 00238E6A
cdecl, xrefs: 00238D48, 00238D4D
stdcall, xrefs: 00238DD6, 00238DDB

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 6cb1446c763548405844c630c22ef50e27f84c52e9255eef6b5328048024fead
Instruction ID: f746c47d505dd879763a3f00f966177ffb5a0105262499a26b38a2bb15c34cc8
Opcode Fuzzy Hash: 6cb1446c763548405844c630c22ef50e27f84c52e9255eef6b5328048024fead
Instruction Fuzzy Hash: CD51A2B1A2021B9BCF14DF68C9508BEB7A5BF65724F204229F426EB284EB34DD51C790

Function 0023372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00233774
CoUninitialize.OLE32 ref: 0023377F
CoCreateInstance.OLE32(?,00000000,00000017,0024FB78,?), ref: 002337D9
IIDFromString.OLE32(?,?), ref: 0023384C
VariantInit.OLEAUT32(?), ref: 002338E4
VariantClear.OLEAUT32(?), ref: 00233936

Strings

Failed to create object, xrefs: 002337E4, 0023389A
Invalid parameter, xrefs: 00233865
NULL Pointer assignment, xrefs: 0023381E

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 56453d96628d5a67f3e3c8ad97b57d6aa7289263530d6a422ff2e15720435568
Instruction ID: 9a9cf1c08fc9ad87e568bc6c51afe23ae844b4eb683c8a264875e6575a3f655b
Opcode Fuzzy Hash: 56453d96628d5a67f3e3c8ad97b57d6aa7289263530d6a422ff2e15720435568
Instruction Fuzzy Hash: C261AEB0628301AFD311DF54D889FAABBE8EF59710F104919F9859B291C770EF58CB92

Function 00228195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00228257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00228267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00228273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00228310
SetCurrentDirectoryW.KERNEL32(?), ref: 00228324
SetCurrentDirectoryW.KERNEL32(?), ref: 00228356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0022838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00228395

Strings

*.*, xrefs: 0022839B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 3527369136826d2d00686609ebc84787066998db3b5fd40be25c3bab8afc3f11
Instruction ID: 2f8b63d12814e224600d374dac91590a0c217b587251bdaf59da59d1e634ba72
Opcode Fuzzy Hash: 3527369136826d2d00686609ebc84787066998db3b5fd40be25c3bab8afc3f11
Instruction Fuzzy Hash: 1261BC72118315AFCB10EF64E8409AEB3E8FF99310F04895EF989C3251DB31E955CB92

Function 00248B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

Part of subcall function 001C912D: GetCursorPos.USER32(?), ref: 001C9141
Part of subcall function 001C912D: ScreenToClient.USER32(00000000,?), ref: 001C915E
Part of subcall function 001C912D: GetAsyncKeyState.USER32(00000001), ref: 001C9183
Part of subcall function 001C912D: GetAsyncKeyState.USER32(00000002), ref: 001C919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00248B6B
ImageList_EndDrag.COMCTL32 ref: 00248B71
ReleaseCapture.USER32 ref: 00248B77
SetWindowTextW.USER32(?,00000000), ref: 00248C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00248C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00248CFF

Strings

@GUI_DROPID, xrefs: 00248C51
@GUI_DRAGFILE, xrefs: 00248C9A
p#(, xrefs: 00248C71

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#(
API String ID: 1924731296-1228047575
Opcode ID: c29328990c05c48409da92a50d8783b74b3a4f39839956f83e2731312fc5a2a7
Instruction ID: de124a8bb21c9258cfb6f69151ffc5a56301414093c5709ebbdda6ac72a6dc2e
Opcode Fuzzy Hash: c29328990c05c48409da92a50d8783b74b3a4f39839956f83e2731312fc5a2a7
Instruction Fuzzy Hash: 4751AA75115204AFD708EF24DC9AFAE77E8FB88714F40062DF956A72E1CB709924CB62

Function 00223388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002233CF

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002233F0

Strings

Incorrect parameters to object property !, xrefs: 002234AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00223504
"%s" (%d) : ==> %s:, xrefs: 00223522
Error: , xrefs: 002234D1
Line %d (File "%s"):, xrefs: 00223443, 0022345C
^ ERROR , xrefs: 0022349E

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: ca076bf9c1af6f6f5787ca0b6ace62422a7e95adec2e5a3e10b8df2fdff88e08
Instruction ID: a23f06245e3bf6d3d8f45af465128491ffc760d8dbb05f2ec978758670b14de2
Opcode Fuzzy Hash: ca076bf9c1af6f6f5787ca0b6ace62422a7e95adec2e5a3e10b8df2fdff88e08
Instruction Fuzzy Hash: AE51B331900219BADF14EBE0DD56EEEB7B8AF24300F604065F109720A2DB356FA9DF60

Function 0021B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0021B5FC
_wcslen.LIBCMT ref: 0021B608
_wcslen.LIBCMT ref: 0021B64D
_wcslen.LIBCMT ref: 0021B68C
_wcslen.LIBCMT ref: 0021B6C7

Strings

REMOVE, xrefs: 0021B602, 0021B607
APPEND, xrefs: 0021B6C1, 0021B6C6
KEYS, xrefs: 0021B647, 0021B64C
EXISTS, xrefs: 0021B686, 0021B68B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: e9400164f97145f40178750d852ce00af2bfe329a1b1b074fe4bf81d12d5c42b
Instruction ID: 0da9b7f8772edc1057f8c263f6203162c393d96e2374f822cb46c4c233c66730
Opcode Fuzzy Hash: e9400164f97145f40178750d852ce00af2bfe329a1b1b074fe4bf81d12d5c42b
Instruction Fuzzy Hash: F541D432A201679BCB216F7D88A05FEB7F9ABB0794B244129E425DB284E731CDD1C790

Function 00225393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00225416
GetLastError.KERNEL32 ref: 00225420
SetErrorMode.KERNEL32(00000000,READY), ref: 002254A7

Strings

UNKNOWN, xrefs: 00225444
READY, xrefs: 00225460, 00225468
READONLY, xrefs: 00225452
NOTREADY, xrefs: 0022544B
INVALID, xrefs: 00225459

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1fb0fe55dc715964f9ba1825eaf8aa88d88840932fd98d3aceec1027d73fd1f9
Instruction ID: fa16c987fe6ba9d0a078796190268afcadf10dab2c1069145621d60cc4c8cf69
Opcode Fuzzy Hash: 1fb0fe55dc715964f9ba1825eaf8aa88d88840932fd98d3aceec1027d73fd1f9
Instruction Fuzzy Hash: B7310535A10525AFC710EFA8E488AE9BBF4FF15305F14C056E505CB292D770DD92CB90

Function 00243C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00243C79
SetMenu.USER32(?,00000000), ref: 00243C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00243D10
IsMenu.USER32(?), ref: 00243D24
CreatePopupMenu.USER32 ref: 00243D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00243D5B
DrawMenuBar.USER32 ref: 00243D63

Strings

F, xrefs: 00243D4E
0, xrefs: 00243C54

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 51989aeceb97df82235fc567191f519821ebe651df95218eb3ef0dba5e565c45
Instruction ID: ba0b167bfed50184ae3caf1ffc377cdbc6af0f3444983347927d3efbdd309e7a
Opcode Fuzzy Hash: 51989aeceb97df82235fc567191f519821ebe651df95218eb3ef0dba5e565c45
Instruction Fuzzy Hash: 91417F79A12606EFDB18CF54E848ADE77B5FF49350F140029F956A7360D770AA20CF50

Function 00243A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00243A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00243AA0
GetWindowLongW.USER32(?,000000F0), ref: 00243AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00243AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00243B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00243BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00243BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00243BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00243BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00243C13

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 411f8e6ad46436f6d04f4bc2841a89c475908ad4b5b7cb32e80da4039e7befc1
Instruction ID: 158b2aefe43ce33b395076d9029ea1edc27416f39ea428bf9bf3c563a381eb1c
Opcode Fuzzy Hash: 411f8e6ad46436f6d04f4bc2841a89c475908ad4b5b7cb32e80da4039e7befc1
Instruction Fuzzy Hash: 90618A75A00208AFDB15DFA8CC85EEE77B8EB09704F10419AFA15E72A1C770AE56DF50

Function 0021B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0021B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B165
GetWindowThreadProcessId.USER32(00000000), ref: 0021B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0021B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B21D

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: e47da5c74bab3fab4f5158bf72239fa919b203a6e2ae0af4d92b176d50b66a9b
Instruction ID: a0bd9d62ea496740c82faa5352375691272cff91514d74dac3505df4cd8e8f6b
Opcode Fuzzy Hash: e47da5c74bab3fab4f5158bf72239fa919b203a6e2ae0af4d92b176d50b66a9b
Instruction Fuzzy Hash: CC31BF79522205BFDB12EF68EC5CFAD7BB9BB61711F218014FA04D6190D7B49A848F60

Function 001E2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001E2C94

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001E2CA0
_free.LIBCMT ref: 001E2CAB
_free.LIBCMT ref: 001E2CB6
_free.LIBCMT ref: 001E2CC1
_free.LIBCMT ref: 001E2CCC
_free.LIBCMT ref: 001E2CD7
_free.LIBCMT ref: 001E2CE2
_free.LIBCMT ref: 001E2CED
_free.LIBCMT ref: 001E2CFB

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8f7cbdee1a29131d94a80cf33fe8605e7e36b085a416dff14cfe8f3b6f70aa30
Instruction ID: 0b237517cfd4717270112ac57baedc0e3d240a8b56f5b724c15c804df5d94113
Opcode Fuzzy Hash: 8f7cbdee1a29131d94a80cf33fe8605e7e36b085a416dff14cfe8f3b6f70aa30
Instruction Fuzzy Hash: 9A11043610045CAFCB06EF56D892CDC3BA9FF15344F4250A0FA489F222DB35EE509B90

Function 001B5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 001B5C7A

Part of subcall function 001B5D0A: GetClientRect.USER32(?,?), ref: 001B5D30
Part of subcall function 001B5D0A: GetWindowRect.USER32(?,?), ref: 001B5D71
Part of subcall function 001B5D0A: ScreenToClient.USER32(?,?), ref: 001B5D99

GetDC.USER32 ref: 001F46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001F4708
SelectObject.GDI32(00000000,00000000), ref: 001F4716
SelectObject.GDI32(00000000,00000000), ref: 001F472B
ReleaseDC.USER32(?,00000000), ref: 001F4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001F47C4

Strings

U, xrefs: 001F4693

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2bf2753343da393f51c2340d4a69bfc9dc1d74ad213fd2b03b889e7328f66409
Instruction ID: a9151392470a5ab0273beeccc94c520d83bd9ddd335f31b64d256bcbe5446197
Opcode Fuzzy Hash: 2bf2753343da393f51c2340d4a69bfc9dc1d74ad213fd2b03b889e7328f66409
Instruction Fuzzy Hash: 2071F134400209DFCF25DF64C984AFB7BBAFF4A360F284269EE559A2A6C3318841DF50

Function 0022359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002235E4

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

LoadStringW.USER32(00282390,?,00000FFF,?), ref: 0022360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00223742
"%s" (%d) : ==> %s:%s%s, xrefs: 00223724
Error: , xrefs: 002236EF
^ ERROR, xrefs: 002236C9
Line %d (File "%s"):, xrefs: 0022366B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: c950b8d737b197eddc66580419c71fd42bf2c3bade2ab20d9a6997849cb504ea
Instruction ID: 724a1a38a22bc7e7eca98f7ffe14f5cd37bb2485d8f9d8fce6bb561f63de517b
Opcode Fuzzy Hash: c950b8d737b197eddc66580419c71fd42bf2c3bade2ab20d9a6997849cb504ea
Instruction Fuzzy Hash: 5651817181021ABBCF14EBE0DC96EEEBB78AF24300F144165F105721A1DB355BA9DF60

Function 0022C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0022C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0022C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0022C2CA
GetLastError.KERNEL32 ref: 0022C322
SetEvent.KERNEL32(?), ref: 0022C336
InternetCloseHandle.WININET(00000000), ref: 0022C341

Strings

, xrefs: 0022C2BB

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 74e92d7042cc3be609bb2ca9771838d1dbc8120cd77da6a3460ca8d18accc1b1
Instruction ID: 9ed28aa6512852039613462d4c04f8608024dfccc738d4038b95d0280da6b2d5
Opcode Fuzzy Hash: 74e92d7042cc3be609bb2ca9771838d1dbc8120cd77da6a3460ca8d18accc1b1
Instruction Fuzzy Hash: 85319FB1510614BFD721DFA8AC88AAF7BFCEB49744B20891EF44697210DB70DD548B60

Function 0021989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001F3AAF,?,?,Bad directive syntax error,0024CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002198BC
LoadStringW.USER32(00000000,?,001F3AAF,?), ref: 002198C3

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00219987

Strings

Line %d:, xrefs: 00219912
Line %d (File "%s"):, xrefs: 0021992D
., xrefs: 0021996D
Error: , xrefs: 00219955
%s (%d) : ==> %s.: %s %s, xrefs: 002198F1

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 39415987737994fdd0b3e9a50b9fec106113cb3f32a4d0daf8abbefd94563701
Instruction ID: 56a04940102a2afc93b18488505f8d456e9172b8ea1fe5de1b9f85c27f136d01
Opcode Fuzzy Hash: 39415987737994fdd0b3e9a50b9fec106113cb3f32a4d0daf8abbefd94563701
Instruction Fuzzy Hash: BF219131C1021EBBCF15AF90CC1AEEE7B79FF29700F044459F519660A2EB719AA8DB10

Function 0021209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0021214D

Strings

SHELLDLL_DefView, xrefs: 002120CC
details, xrefs: 002120FB
largeicons, xrefs: 002120E1
smallicons, xrefs: 00212115
list, xrefs: 0021212F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 317405fb5ba53032a730e98cc68807fba30ce9b08d3a362fe86c41d7c951d7a2
Instruction ID: 3051592b9f18bf4e19a4371c430073c4c9f5e55aef3558c681dea36d4a54ac39
Opcode Fuzzy Hash: 317405fb5ba53032a730e98cc68807fba30ce9b08d3a362fe86c41d7c951d7a2
Instruction Fuzzy Hash: F1113A7A6A8717FBF605A620EC0ADFA73DCCB26324B205016FB0DA50D2FBB158B95514

Function 001E8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629441d6ac22097756cdbf81a5eb03b7ca9482d6e690c000f2637c866e3c2010
Instruction ID: 992875fae9e2e0d7e7d18e04d67103ddd39cea4b22b696c918adcabb8534bb98
Opcode Fuzzy Hash: 629441d6ac22097756cdbf81a5eb03b7ca9482d6e690c000f2637c866e3c2010
Instruction Fuzzy Hash: 68C13574D04689AFCF11DFAAD845BADBBB4BF19310F044199F919AB392CB308A41CB60

Function 001ECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 001ECEB7
_free.LIBCMT ref: 001ECF22
_free.LIBCMT ref: 001ECF48
_free.LIBCMT ref: 001ECF71
_free.LIBCMT ref: 001ECFA9
_free.LIBCMT ref: 001ECFDA
_free.LIBCMT ref: 001ED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 001ED09C
_free.LIBCMT ref: 001ED0B5

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 586ab6b39d17a3b24a8b42a28267ad57289998982383b5b63bb6b96b478cfc26
Instruction ID: 9448131646a46eecf4e009993c7cb3aa7733c255ffdbfe6cd3dced690ce7c339
Opcode Fuzzy Hash: 586ab6b39d17a3b24a8b42a28267ad57289998982383b5b63bb6b96b478cfc26
Instruction Fuzzy Hash: 65619872904BD0AFDB25AFB6AC95A6E7BE9EF12720F04416DF80197282D7319D0287D0

Function 002450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00245186
ShowWindow.USER32(?,00000000), ref: 002451C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002451CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002451D1

Part of subcall function 00246FBA: DeleteObject.GDI32(00000000), ref: 00246FE6

GetWindowLongW.USER32(?,000000F0), ref: 0024520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0024521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0024524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00245287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00245296

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5f53657279bce1545cc74510cac553a5ef139d41ec658ed117ea850a1f4a39a6
Instruction ID: 3fd3372c7f3bc35e78e2e369ee3ccb4151081684f5a2983a7fd202c0c8182aad
Opcode Fuzzy Hash: 5f53657279bce1545cc74510cac553a5ef139d41ec658ed117ea850a1f4a39a6
Instruction Fuzzy Hash: D351C434A71A29BFEF289F24CC49BD93B65FB05321F144012F99D962E2C3B599A0DF41

Function 001C8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00206890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001C8874,00000000,00000000,00000000,000000FF,00000000), ref: 00206901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0020691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001C8874,00000000,00000000,00000000,000000FF,00000000), ref: 0020692D

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7efe0e96d95a9bdda34cd85ff29ce0deb288df7d859e9b30ad902be6547de55e
Instruction ID: c79766a7a59a2e5de46d3c5623e713e3d79385858b19b39b82748e22eeb752dd
Opcode Fuzzy Hash: 7efe0e96d95a9bdda34cd85ff29ce0deb288df7d859e9b30ad902be6547de55e
Instruction Fuzzy Hash: 3151677461030AAFDB248F28DC99FAA7BB5EB68750F104518F906972E0DB70EDA0DB50

Function 0022C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0022C182
GetLastError.KERNEL32 ref: 0022C195
SetEvent.KERNEL32(?), ref: 0022C1A9

Part of subcall function 0022C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0022C272
Part of subcall function 0022C253: GetLastError.KERNEL32 ref: 0022C322
Part of subcall function 0022C253: SetEvent.KERNEL32(?), ref: 0022C336
Part of subcall function 0022C253: InternetCloseHandle.WININET(00000000), ref: 0022C341

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: f746b87357040ae6cf16cd9ee5dfd8f81f740ab5a19bffbfcae2a48602dd4575
Instruction ID: 4e4faa33bd0ee99fcea85604f74e43310bc9d6f4efe8c933af47d59bc3963232
Opcode Fuzzy Hash: f746b87357040ae6cf16cd9ee5dfd8f81f740ab5a19bffbfcae2a48602dd4575
Instruction Fuzzy Hash: 3A319E75111611FFDB219FE9EC08A6ABBE8FF19300B20451EF95A87610DB71E8209BA0

Function 002125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00213A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00213A57
Part of subcall function 00213A3D: GetCurrentThreadId.KERNEL32 ref: 00213A5E
Part of subcall function 00213A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002125B3), ref: 00213A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00212601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00212605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0021260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00212623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00212627

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 8492247df2b614395b7fd3ba8b6571a08818850390aae1db28442ded768b4df0
Instruction ID: 8670764812d8aadf08e8796a52254f4cdd5569b2a8e19ee2ddc8472891ad39d6
Opcode Fuzzy Hash: 8492247df2b614395b7fd3ba8b6571a08818850390aae1db28442ded768b4df0
Instruction Fuzzy Hash: EF01D830791650BBFB1067689C8EF993F9DDF9EB11F200011F31CAE0D1C9E114548EA9

Function 00211803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00211449,?,?,00000000), ref: 0021180C
HeapAlloc.KERNEL32(00000000,?,00211449,?,?,00000000), ref: 00211813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00211449,?,?,00000000), ref: 00211828
GetCurrentProcess.KERNEL32(?,00000000,?,00211449,?,?,00000000), ref: 00211830
DuplicateHandle.KERNEL32(00000000,?,00211449,?,?,00000000), ref: 00211833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00211449,?,?,00000000), ref: 00211843
GetCurrentProcess.KERNEL32(00211449,00000000,?,00211449,?,?,00000000), ref: 0021184B
DuplicateHandle.KERNEL32(00000000,?,00211449,?,?,00000000), ref: 0021184E
CreateThread.KERNEL32(00000000,00000000,00211874,00000000,00000000,00000000), ref: 00211868

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 77fef418269eb32d0043ec0e1526daf85c0fdf40414552542f7ae1e47fecb40d
Instruction ID: c8c188af9f18068410a5f04eaa3ec97e857529c2deb01aaed03dbcbf6ff2349f
Opcode Fuzzy Hash: 77fef418269eb32d0043ec0e1526daf85c0fdf40414552542f7ae1e47fecb40d
Instruction Fuzzy Hash: 1301BF75241304BFE750AFA9EC4DF573BACEB8AB11F114411FA09DB191C6709810CB20

Function 0023A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0021D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0021D501
Part of subcall function 0021D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0021D50F
Part of subcall function 0021D4DC: CloseHandle.KERNEL32(00000000), ref: 0021D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0023A16D
GetLastError.KERNEL32 ref: 0023A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0023A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0023A268
GetLastError.KERNEL32(00000000), ref: 0023A273
CloseHandle.KERNEL32(00000000), ref: 0023A2C4

Strings

SeDebugPrivilege, xrefs: 0023A18F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d3e5282b53ce95bcc04f7374c77b8ce8235fee3ccc2be415f74f5ee35ce45dc2
Instruction ID: 2911516588e583c0a413bff8867252afe475c799f748e3adc490402c93024448
Opcode Fuzzy Hash: d3e5282b53ce95bcc04f7374c77b8ce8235fee3ccc2be415f74f5ee35ce45dc2
Instruction Fuzzy Hash: 5F61B2742142429FD720DF18C494F66BBE1AF54318F18849CF8AA8B7A3C776EC55CB92

Function 00243886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00243925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0024393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00243954
_wcslen.LIBCMT ref: 00243999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002439F4

Strings

SysListView32, xrefs: 002438F7

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 5e43e060364582cee46be866e0d97a782bee539408c81bf6cf81b542b1cae49d
Instruction ID: 5fe5b5696987195ce83fcb5d9b300cb03b2008438e994d11e399c754490c2df4
Opcode Fuzzy Hash: 5e43e060364582cee46be866e0d97a782bee539408c81bf6cf81b542b1cae49d
Instruction Fuzzy Hash: 8941D571A10219ABEF25DF64CC49FEA7BA9EF48350F100526F958E7281D7B19DA0CB90

Function 0021BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0021BCFD
IsMenu.USER32(00000000), ref: 0021BD1D
CreatePopupMenu.USER32 ref: 0021BD53
GetMenuItemCount.USER32(010C6150), ref: 0021BDA4
InsertMenuItemW.USER32(010C6150,?,00000001,00000030), ref: 0021BDCC

Strings

2, xrefs: 0021BD37
0, xrefs: 0021BCA8

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 60b17d8eea2dab51244508b13612807961ee3611eb6bc55ccc25b439fefb4f95
Instruction ID: be9c64af493d05ef6560b951d34ad79be8ff2117aee1805cf96f5f206ec4b74a
Opcode Fuzzy Hash: 60b17d8eea2dab51244508b13612807961ee3611eb6bc55ccc25b439fefb4f95
Instruction Fuzzy Hash: EB51C47061020ADBDF1ACFA8E8C8BEDBBF4BF65314F244169E411E7290D7709991CB51

Function 0021C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0021C913

Strings

info, xrefs: 0021C8B4
stop, xrefs: 0021C8E4
blank, xrefs: 0021C895
warning, xrefs: 0021C8FC
question, xrefs: 0021C8CC

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a1905cbd398cf661b782866aeff96566757462a374109dfa7070f89421e7bf65
Instruction ID: 6af9bd791ced0b49130d2266d41dc03ec1e1b07ee5b48597cca25cc62cfbdca2
Opcode Fuzzy Hash: a1905cbd398cf661b782866aeff96566757462a374109dfa7070f89421e7bf65
Instruction Fuzzy Hash: 8F11F6396E9707BBA7055B549CC39EE67DCDF36364B30402BF504AB282D7B05D905268

Function 0021ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0021ED2A
_wcslen.LIBCMT ref: 0021ED3B
_wcslen.LIBCMT ref: 0021ED79
_wcslen.LIBCMT ref: 0021EDAF
_wcslen.LIBCMT ref: 0021EDDF
_wcslen.LIBCMT ref: 0021EDEF
_wcslen.LIBCMT ref: 0021EE2B
_wcslen.LIBCMT ref: 0021EE5A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 95b66c20a345bc005e15b6d24dbc4d572b0327fc4504ee7779d6b565bd1f1f60
Instruction ID: 823afe20410007e5a3742782b5d599f338cb687a311cc4aaba410fad5df793a4
Opcode Fuzzy Hash: 95b66c20a345bc005e15b6d24dbc4d572b0327fc4504ee7779d6b565bd1f1f60
Instruction Fuzzy Hash: 7D418065C1021876CB11EBB48C8AACFB7ACAF65710F508463F918E3221FB34E295C7E5

Function 001CF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0020682C,00000004,00000000,00000000), ref: 001CF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0020682C,00000004,00000000,00000000), ref: 0020F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0020682C,00000004,00000000,00000000), ref: 0020F454

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f91b784d93fcd8f3a218fff9e8088229af1cb399e88036c3111a01c6a030095d
Instruction ID: aa1ee2e9068f532d63faca9adaf679b4f4c36c665c30262e443408eb368cf8a4
Opcode Fuzzy Hash: f91b784d93fcd8f3a218fff9e8088229af1cb399e88036c3111a01c6a030095d
Instruction Fuzzy Hash: 76412B35224780BBCFB89B2C998CF2A7B97AB66318F15403CF547569A1C735E882CB11

Function 00242D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00242D1B
GetDC.USER32(00000000), ref: 00242D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00242D2E
ReleaseDC.USER32(00000000,00000000), ref: 00242D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00242D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00242D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00245A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00242DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00242DE1

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 81b6b72d9a61a72539de74ed303be23878ab782697ed7ec806ea84fcda083548
Instruction ID: 8a06d5c5b4e6a0c2069fc0bed7ac5847f965522735a27d950869ab625d5b7451
Opcode Fuzzy Hash: 81b6b72d9a61a72539de74ed303be23878ab782697ed7ec806ea84fcda083548
Instruction Fuzzy Hash: 2E31CE76212210BFEB258F55DC8AFEB3FADEF4A711F044055FE089A291C6B58C50CBA0

Function 00215622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00215637
_memcmp.LIBVCRUNTIME ref: 00215659
_memcmp.LIBVCRUNTIME ref: 00215671
_memcmp.LIBVCRUNTIME ref: 00215684
_memcmp.LIBVCRUNTIME ref: 0021569E
_memcmp.LIBVCRUNTIME ref: 002156B1
_memcmp.LIBVCRUNTIME ref: 002156C9
_memcmp.LIBVCRUNTIME ref: 002156E4

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 06681c7a8174d117d866cb374d7f91c3ab576155d7dc2df0487d0dfaf45aa243
Instruction ID: c33331b0bcfcb911c9fb800ce9d75beb0ffe631a610018b6c9b3a28f2e426306
Opcode Fuzzy Hash: 06681c7a8174d117d866cb374d7f91c3ab576155d7dc2df0487d0dfaf45aa243
Instruction Fuzzy Hash: 1D21FC6167092AFBD21899118E82FFA73DDBFF2394F440062FD045A682F760ED7181E5

Function 00234FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00235007
NULL Pointer assignment, xrefs: 0023502E, 00235383

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bb43773fed3733bf699fe842f0c54256b4e3a490cac454168c3dd6cecba0c04b
Instruction ID: 9d292ea1bee746d222b5a9a6ee50a44443076c3475ff17cdb0d8fc6fe9eadcb8
Opcode Fuzzy Hash: bb43773fed3733bf699fe842f0c54256b4e3a490cac454168c3dd6cecba0c04b
Instruction Fuzzy Hash: 9ED1D3B1A1061A9FDF14CFA8C880FAEB7B5FF48344F148069E919AB281E771DD51CB90

Function 001F1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001F17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001F15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001F1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001F17FB,?,001F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001F16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001F16FB

Part of subcall function 001E3820: RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001F1777
__freea.LIBCMT ref: 001F17A2
__freea.LIBCMT ref: 001F17AE

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 98387d1eb3a1cb264be7d3d54c401514f67d96d1ca89fe51fe280ac0ade15752
Instruction ID: 6858600090b3e485cd7630cbd67c8b57043948bd7b09b956211e8e41774dba25
Opcode Fuzzy Hash: 98387d1eb3a1cb264be7d3d54c401514f67d96d1ca89fe51fe280ac0ade15752
Instruction Fuzzy Hash: 4991D472E0021EFADF249EB5C881AFE7BB5AF5A710F180659EA06E7150DB35DC40CB60

Function 00234523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00234648
VariantInit.OLEAUT32(?), ref: 00234749
VariantClear.OLEAUT32(?), ref: 00234753
VariantClear.OLEAUT32(?), ref: 002347B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0023472C
Null Object assignment in FOR..IN loop, xrefs: 002345D8, 00234706, 002347BE

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 4a8c5eb3bb5854de7e5d91b70445c1eee46888c5f4c86eea33a6a459b56d479b
Instruction ID: ae48cb915d76f649bec304ce7093606b37173506d9d89f7f1ecf5041abffc444
Opcode Fuzzy Hash: 4a8c5eb3bb5854de7e5d91b70445c1eee46888c5f4c86eea33a6a459b56d479b
Instruction Fuzzy Hash: 4191B4B1E20215ABDF24DFA4CC45FAEBBB8EF46714F108599F505AB280D770A951CFA0

Function 00221187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0022125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00221284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0022135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00221430

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 8f1af29af35218cf6f6bc698085b4beb4d9d17ffe52fd9b3e5280d036a6c7190
Instruction ID: c55fb7394279ab455df819bcf6adef689edfae07f60555f362bb763315080f17
Opcode Fuzzy Hash: 8f1af29af35218cf6f6bc698085b4beb4d9d17ffe52fd9b3e5280d036a6c7190
Instruction Fuzzy Hash: D391D275910229AFEB00DFD8E884FBE77B5FF65314F104129E900E7291D774A961CB90

Function 001C948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6bdd232932ba77679222b6257325b2b1c80f6d76a652428c6f01334a0b3019b4
Instruction ID: 58c4f06e0f5f15b1d9132009da857a83fe91c96da7fa653e96c2506d4b75d7bf
Opcode Fuzzy Hash: 6bdd232932ba77679222b6257325b2b1c80f6d76a652428c6f01334a0b3019b4
Instruction Fuzzy Hash: AC912671E00219EFCB14CFA9CC88AEEBBB8FF59320F14855AE515B7291D774A941CB60

Function 00233947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0023396B
CharUpperBuffW.USER32(?,?), ref: 00233A7A
_wcslen.LIBCMT ref: 00233A8A
VariantClear.OLEAUT32(?), ref: 00233C1F

Part of subcall function 00220CDF: VariantInit.OLEAUT32(00000000), ref: 00220D1F
Part of subcall function 00220CDF: VariantCopy.OLEAUT32(?,?), ref: 00220D28
Part of subcall function 00220CDF: VariantClear.OLEAUT32(?), ref: 00220D34

Strings

Incorrect Parameter format, xrefs: 002339A6, 00233BA1
AUTOIT.ERROR, xrefs: 00233A80, 00233A85

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 6f3d4715ef94d153bc58343898cdf0e4d578ab52f1d07da6fe97884561eaf7cb
Instruction ID: 5de5a82ea740cc031ceca79ba36ecf1f5ce91728b54c6b7dec6955fcb5ba4ef2
Opcode Fuzzy Hash: 6f3d4715ef94d153bc58343898cdf0e4d578ab52f1d07da6fe97884561eaf7cb
Instruction Fuzzy Hash: 529169B46183059FC704DF24C48196AB7E5FF99314F14886EF88A9B351DB30EE56CB92

Function 00234BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0021000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?,?,0021035E), ref: 0021002B
Part of subcall function 0021000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210046
Part of subcall function 0021000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210054
Part of subcall function 0021000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?), ref: 00210064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00234C51
_wcslen.LIBCMT ref: 00234D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00234DCF
CoTaskMemFree.OLE32(?), ref: 00234DDA

Strings

NULL Pointer assignment, xrefs: 00234E23, 00234E52

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 997d5cf7b880abdae0eca16018062c2e5f98158edd96cd7ab5fb0d10a56ecbcc
Instruction ID: 363e19c8d822627530ccfad4f52d49d13051fa99da1f5c3170327b4dd08da5dd
Opcode Fuzzy Hash: 997d5cf7b880abdae0eca16018062c2e5f98158edd96cd7ab5fb0d10a56ecbcc
Instruction Fuzzy Hash: EA914AB1D1021DAFDF14EFA4D881AEEB7B8FF18304F10416AE915A7251DB70AA55CF60

Function 002420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00242183
GetMenuItemCount.USER32(00000000), ref: 002421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002421DD
_wcslen.LIBCMT ref: 00242213
GetMenuItemID.USER32(?,?), ref: 0024224D
GetSubMenu.USER32(?,?), ref: 0024225B

Part of subcall function 00213A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00213A57
Part of subcall function 00213A3D: GetCurrentThreadId.KERNEL32 ref: 00213A5E
Part of subcall function 00213A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002125B3), ref: 00213A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002422E3

Part of subcall function 0021E97B: Sleep.KERNEL32 ref: 0021E9F3

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: debd749d5526f7d56de3a34dfee8d5a835f912a4108b4441fd7da84175bd01a6
Instruction ID: e749ba8e557948468d2f5262907c7ad444c16f64eee5dfc347bdc654e4b72e3e
Opcode Fuzzy Hash: debd749d5526f7d56de3a34dfee8d5a835f912a4108b4441fd7da84175bd01a6
Instruction Fuzzy Hash: 45717D75A10205EFCB14DF69C845AAEBBF5AF88310F508499F81AEB341DB74ED458B90

Function 0021AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0021AEF9
GetKeyboardState.USER32(?), ref: 0021AF0E
SetKeyboardState.USER32(?), ref: 0021AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0021AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0021AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0021AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0021B020

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 77a893accb3afe3cedfc6f45b2dda83ca2f377d79413ce0412ce63e117b40d6a
Instruction ID: c5fee2de9eaa67df906aa73e80b77f5bf34995608042a99289f03c62a58b5f32
Opcode Fuzzy Hash: 77a893accb3afe3cedfc6f45b2dda83ca2f377d79413ce0412ce63e117b40d6a
Instruction Fuzzy Hash: 5851F4A0A253D23DFB374A348C45BFA7EE95B16304F088489F1D9458C2C3E9ACE9D761

Function 0021ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0021AD19
GetKeyboardState.USER32(?), ref: 0021AD2E
SetKeyboardState.USER32(?), ref: 0021AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0021ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0021ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0021AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0021AE38

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d3341ae80fe7e434212e4f7b8b64fa017e3bbf2705b22c21af476875d197693f
Instruction ID: c121a3ecb978ab7890174a54ba61201d4d5d9f52f936bf5f04949b555d997510
Opcode Fuzzy Hash: d3341ae80fe7e434212e4f7b8b64fa017e3bbf2705b22c21af476875d197693f
Instruction Fuzzy Hash: 7E5106A09267D23DFB378B348C45BFA7EE85B56300F088498E0D5468C3C2A4ECE8D752

Function 001E542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(001F3CD6,?,?,?,?,?,?,?,?,001E5BA3,?,?,001F3CD6,?,?), ref: 001E5470
__fassign.LIBCMT ref: 001E54EB
__fassign.LIBCMT ref: 001E5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,001F3CD6,00000005,00000000,00000000), ref: 001E552C
WriteFile.KERNEL32(?,001F3CD6,00000000,001E5BA3,00000000,?,?,?,?,?,?,?,?,?,001E5BA3,?), ref: 001E554B
WriteFile.KERNEL32(?,?,00000001,001E5BA3,00000000,?,?,?,?,?,?,?,?,?,001E5BA3,?), ref: 001E5584

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 5ebe59035bd0e13fde34c94c1772a96f1cd996de14c1c05e99c4e51da360a737
Instruction ID: b9f597a8a2250c69942ebaa4b2f90ec501a55f59214b8a0505d7a383a1d833e6
Opcode Fuzzy Hash: 5ebe59035bd0e13fde34c94c1772a96f1cd996de14c1c05e99c4e51da360a737
Instruction Fuzzy Hash: 52512A70A00A489FDB14CFA9DC85AEEBBF6EF09304F24415AF555E7291D730DA40CB60

Function 001D2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001D2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 001D2D53
_ValidateLocalCookies.LIBCMT ref: 001D2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 001D2E0C
_ValidateLocalCookies.LIBCMT ref: 001D2E61

Strings

csm, xrefs: 001D2DF6

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 357838e37b920316add8f55f783d66e9e44a5c0e1c687314012fa769721fe00f
Instruction ID: 4175e75fcc9922be34f4cff29ebeb81fc63b74666a99f5804897117cf304dccb
Opcode Fuzzy Hash: 357838e37b920316add8f55f783d66e9e44a5c0e1c687314012fa769721fe00f
Instruction Fuzzy Hash: 6E41B434E00209EBCF14DFA8CC85A9EBBB5BF65324F148156E9246B392D731AE15CBD1

Function 002310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0023304E: inet_addr.WSOCK32(?), ref: 0023307A
Part of subcall function 0023304E: _wcslen.LIBCMT ref: 0023309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00231112
WSAGetLastError.WSOCK32 ref: 00231121
WSAGetLastError.WSOCK32 ref: 002311C9
closesocket.WSOCK32(00000000), ref: 002311F9

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 1cc13b5557f0c85c5f63c19f3aeed9332807180ffd01cba96346b07edf9cdecc
Instruction ID: 5c7c94172720abcae1ad0857d26cc6a35dae92ad05a5af70f2eca31912b94ca0
Opcode Fuzzy Hash: 1cc13b5557f0c85c5f63c19f3aeed9332807180ffd01cba96346b07edf9cdecc
Instruction Fuzzy Hash: 854112B5210204AFDB109F18D888BEABBE9EF45324F148059FD499B291C7B0EE51CBE0

Function 0021CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0021DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0021CF22,?), ref: 0021DDFD

Part of subcall function 0021DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0021CF22,?), ref: 0021DE16

lstrcmpiW.KERNEL32(?,?), ref: 0021CF45
MoveFileW.KERNEL32(?,?), ref: 0021CF7F
_wcslen.LIBCMT ref: 0021D005
_wcslen.LIBCMT ref: 0021D01B
SHFileOperationW.SHELL32(?), ref: 0021D061

Strings

\*.*, xrefs: 0021CFF3

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: b3766fdf03ddd3766a77de372c44eacdb40fdb27e923f81ee3deed1bce275aa5
Instruction ID: 232433c414e50c1468727b772a90ddb9880f271b6d0c91eaf416bd5cb1750fdd
Opcode Fuzzy Hash: b3766fdf03ddd3766a77de372c44eacdb40fdb27e923f81ee3deed1bce275aa5
Instruction Fuzzy Hash: 0F4185758552199FDF12EFA4D981ADEB7F9AF28340F1000E6E509EB141EB30AA99CF50

Function 00242DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00242E1C
GetWindowLongW.USER32(?,000000F0), ref: 00242E4F
GetWindowLongW.USER32(?,000000F0), ref: 00242E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00242EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00242EE0
GetWindowLongW.USER32(?,000000F0), ref: 00242EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00242F0B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5745d7d350c7006e518c18633514b37757935d0406da46634a7759bc707d361c
Instruction ID: 5a3ae2e88059d8c80ae7368d5313120fdea95d00ce96daee21aadefd7b0d9182
Opcode Fuzzy Hash: 5745d7d350c7006e518c18633514b37757935d0406da46634a7759bc707d361c
Instruction Fuzzy Hash: 29313438716151DFDB298F19EC88F6537E8EB8AB10F950064F9149B2B2CB71B869DB00

Function 00217726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00217769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0021778F
SysAllocString.OLEAUT32(00000000), ref: 00217792
SysAllocString.OLEAUT32(?), ref: 002177B0
SysFreeString.OLEAUT32(?), ref: 002177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002177DE
SysAllocString.OLEAUT32(?), ref: 002177EC

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9195d369bdb1ed4053bad43ce5e5e734e6f3508fe282c01a2c0a814b82a54fd4
Instruction ID: edfac4d4feba534ca1146d3510529d99cdd6448986e78e4c6be8f0b17e22e51d
Opcode Fuzzy Hash: 9195d369bdb1ed4053bad43ce5e5e734e6f3508fe282c01a2c0a814b82a54fd4
Instruction Fuzzy Hash: 0D21E23A61420AAFDB00EFACDC88CFBB3ECEB59760B108025F915CB190D670DC828760

Function 002177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00217842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00217868
SysAllocString.OLEAUT32(00000000), ref: 0021786B
SysAllocString.OLEAUT32 ref: 0021788C
SysFreeString.OLEAUT32 ref: 00217895
StringFromGUID2.OLE32(?,?,00000028), ref: 002178AF
SysAllocString.OLEAUT32(?), ref: 002178BD

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 374bedd50f67a8755d098e791542614c17a52e8d801984f54939e84527e8ecdc
Instruction ID: a14924b740362468d2c340f3977d796eb7c6610bfdb67ebb8a879337757837b0
Opcode Fuzzy Hash: 374bedd50f67a8755d098e791542614c17a52e8d801984f54939e84527e8ecdc
Instruction Fuzzy Hash: 1C21DE35619209AF9B10AFA8DC8CDEA73FCEB597207218025B904CB2A1D670DC81DB74

Function 002204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0022052E

Strings

nul, xrefs: 00220567

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d59ec798a991ac41f0d407591383ad02d4a4df3ea86f69793be7f939577d6d0d
Instruction ID: bf1be9295e906926bc4e6a262f56d078998c8b848f71db2b91c7c3f467b4e7e7
Opcode Fuzzy Hash: d59ec798a991ac41f0d407591383ad02d4a4df3ea86f69793be7f939577d6d0d
Instruction Fuzzy Hash: C221A574510316BBCB209FA9EC84A9977F4BF45720F604A18F8A1D61E1D7B09970CF60

Function 002205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00220601

Strings

nul, xrefs: 00220639

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 1df0a5601f20abcf592c033f28e5bb27179f416b907344421ff7c0c3669f72e2
Instruction ID: 1b7d4830f0f277617f1313a4cb7e9e9de68af20fab8ab10d496b3d7cb5f48ed8
Opcode Fuzzy Hash: 1df0a5601f20abcf592c033f28e5bb27179f416b907344421ff7c0c3669f72e2
Instruction Fuzzy Hash: 41216F75510316BFDB209FA9EC84AA577E8BF55720F200619FCA1D71E5D7B09970CB10

Function 002440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001B604C
Part of subcall function 001B600E: GetStockObject.GDI32(00000011), ref: 001B6060
Part of subcall function 001B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001B606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00244112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0024411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0024412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00244139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00244145

Strings

Msctls_Progress32, xrefs: 002440E3

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c1f3ea80f36392c0f4573e39babca0699711a6cd6e670c271ad77f0dca99d245
Instruction ID: 238781490b7a00a764b94a63951ea47062a41db4e3bdc219d0846a23c3ceface
Opcode Fuzzy Hash: c1f3ea80f36392c0f4573e39babca0699711a6cd6e670c271ad77f0dca99d245
Instruction Fuzzy Hash: B71190B215021ABEEF119E64CC86EE77F5DEF19798F014111BA18A6090C7729C219BA4

Function 001ED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001ED7A3: _free.LIBCMT ref: 001ED7CC

_free.LIBCMT ref: 001ED82D

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001ED838
_free.LIBCMT ref: 001ED843
_free.LIBCMT ref: 001ED897
_free.LIBCMT ref: 001ED8A2
_free.LIBCMT ref: 001ED8AD
_free.LIBCMT ref: 001ED8B8

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 8ed27231ec7e722a7d8479e1cad3e185b7473500f94eba374ce8d7ecf1046ff6
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 32113A71940F98AAD621BFF2DC47FCF7BDCAF20704F400825F699A6092DB79B5058662

Function 0021DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0021DA74
LoadStringW.USER32(00000000), ref: 0021DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0021DA91
LoadStringW.USER32(00000000), ref: 0021DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0021DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0021DAB9

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f13486d62b20d3058802a162c67ee09b5e9c1209636c457bf4a0295ea720dfa5
Instruction ID: 04add701728d99dc717a2f4745a73d20eddac346c2162ca584bdf3b348da78ce
Opcode Fuzzy Hash: f13486d62b20d3058802a162c67ee09b5e9c1209636c457bf4a0295ea720dfa5
Instruction Fuzzy Hash: B60186F6910208BFE751DBA8ED8DEE773ACEB09305F504492B74AE2041EA749E844F74

Function 0022096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(010BD420,010BD420), ref: 0022097B
EnterCriticalSection.KERNEL32(010BD400,00000000), ref: 0022098D
TerminateThread.KERNEL32(?,000001F6), ref: 0022099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 002209A9
CloseHandle.KERNEL32(?), ref: 002209B8
InterlockedExchange.KERNEL32(010BD420,000001F6), ref: 002209C8
LeaveCriticalSection.KERNEL32(010BD400), ref: 002209CF

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6ef8562eb0f62e52231b299a1c43ced6be3003c2a3562e1f011dde1366904f50
Instruction ID: f18ab515642c7f39472a7638cae8301935ad8a4fd8ddeb35ee5c57b18d049d09
Opcode Fuzzy Hash: 6ef8562eb0f62e52231b299a1c43ced6be3003c2a3562e1f011dde1366904f50
Instruction Fuzzy Hash: A9F0CD35543912BBD7916F98FE8DAD67A25BF06B02F501025F502508A1C7B5A475CF90

Function 00231C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00231DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00231DE1
WSAGetLastError.WSOCK32 ref: 00231DF2
htons.WSOCK32(?), ref: 00231EDB
inet_ntoa.WSOCK32(?), ref: 00231E8C

Part of subcall function 002139E8: _strlen.LIBCMT ref: 002139F2

Part of subcall function 00233224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0022EC0C), ref: 00233240

_strlen.LIBCMT ref: 00231F35

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 6552782ef75aeb864cdc1353fbaaebbee26eb6f270067e94e0d1d7bebb152e6d
Instruction ID: f17e78e46d46759eb0e4f1656219635062ff9b02c46a68183ebc09c3a294570f
Opcode Fuzzy Hash: 6552782ef75aeb864cdc1353fbaaebbee26eb6f270067e94e0d1d7bebb152e6d
Instruction Fuzzy Hash: 73B1CD70214301AFC324DF24C885F6A7BE5AFA5318F64894CF45A5B2E2CB71ED52CB92

Function 001B5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 001B5D30
GetWindowRect.USER32(?,?), ref: 001B5D71
ScreenToClient.USER32(?,?), ref: 001B5D99
GetClientRect.USER32(?,?), ref: 001B5ED7
GetWindowRect.USER32(?,?), ref: 001B5EF8

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 0bbdd65f2a0d86624e8cded45422cfc37afbcabacd9d72f92920520b8f64d30d
Instruction ID: fb6d6125648dcae5552f86f314635f4aa7ebffe2da73a399a8c538b850c24bba
Opcode Fuzzy Hash: 0bbdd65f2a0d86624e8cded45422cfc37afbcabacd9d72f92920520b8f64d30d
Instruction Fuzzy Hash: B5B16838A00A4ADBDB14CFA9C4847FAB7F2FF48310F14851AE9A9D7250DB34EA51DB54

Function 001E01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001E00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001E00D6
__allrem.LIBCMT ref: 001E00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001E010B
__allrem.LIBCMT ref: 001E0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001E0140

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: cfd73dd3c279bf2736ba7d221d6cc9981b9900ec98d3f5189425b45099d4514f
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 27812872A00B46ABE7259F6ACC81B6F73E8AF55364F24413EF511DA381E7B0DA418790

Function 001E61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001D82D9,001D82D9,?,?,?,001E644F,00000001,00000001,8BE85006), ref: 001E6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001E644F,00000001,00000001,8BE85006,?,?,?), ref: 001E62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001E63D8
__freea.LIBCMT ref: 001E63E5

Part of subcall function 001E3820: RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

__freea.LIBCMT ref: 001E63EE
__freea.LIBCMT ref: 001E6413

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: bc991707ccfd5acd0441eeecf6553b5d2fe286e87e92f4cd6d9b4790f45bf19d
Instruction ID: 4d04fcf423613cc46e0d20c8fe8f0e3666d4edb44c2bc43367ca2990d577179d
Opcode Fuzzy Hash: bc991707ccfd5acd0441eeecf6553b5d2fe286e87e92f4cd6d9b4790f45bf19d
Instruction Fuzzy Hash: 93510472A00A96ABDB258F66CC81EBF77A9EF64790F654229FD09D7180DB34DC40C660

Function 0023BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 0023C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0023B6AE,?,?), ref: 0023C9B5
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023C9F1
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA68
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0023BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0023BD25
RegCloseKey.ADVAPI32(00000000), ref: 0023BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0023BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0023BDF3
RegCloseKey.ADVAPI32(?), ref: 0023BDFF

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 473edf343a9332124bb3bef68223968472a048fbbae5a219b5ef022a64edce81
Instruction ID: 660a798fae54719a747e4bde14847a565c96553accfb87f159fad1233c80567c
Opcode Fuzzy Hash: 473edf343a9332124bb3bef68223968472a048fbbae5a219b5ef022a64edce81
Instruction Fuzzy Hash: 4F81D070218241EFC715DF24C885E6ABBE5FF84308F14895DF55A8B2A2CB32ED15CB92

Function 0020F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0020F7B9
SysAllocString.OLEAUT32(00000001), ref: 0020F860
VariantCopy.OLEAUT32(0020FA64,00000000), ref: 0020F889
VariantClear.OLEAUT32(0020FA64), ref: 0020F8AD
VariantCopy.OLEAUT32(0020FA64,00000000), ref: 0020F8B1
VariantClear.OLEAUT32(?), ref: 0020F8BB

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 6452285a98dceba8ea24be4cf21df13cfcd6a741bbcc013d669ebc29c82e32f3
Instruction ID: 6b435c108157580d1568ffafaafd772b033988e100d1382c156709f7268791a0
Opcode Fuzzy Hash: 6452285a98dceba8ea24be4cf21df13cfcd6a741bbcc013d669ebc29c82e32f3
Instruction Fuzzy Hash: C0512A31560304BACFB0AF65D985B69B3A4EF55310F20946BE902DF6D3D7B08C50CB96

Function 0022910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 001B7620: _wcslen.LIBCMT ref: 001B7625

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002294E5
_wcslen.LIBCMT ref: 00229506
_wcslen.LIBCMT ref: 0022952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00229585

Strings

X, xrefs: 00229412

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a6f93b7ae9612da5a50018e2e7047d57e39f39fa08cba543897bb7d9b2293525
Instruction ID: 51f9f9e131b289c74845620916c33f0bfd0402b9d3fbf7d73be09d9fe3fc495c
Opcode Fuzzy Hash: a6f93b7ae9612da5a50018e2e7047d57e39f39fa08cba543897bb7d9b2293525
Instruction Fuzzy Hash: 1DE1E330618311DFD724EF64D881BAAB7E4BF94310F14896DF8899B2A2DB30DD55CB92

Function 001C920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

BeginPaint.USER32(?,?,?), ref: 001C9241
GetWindowRect.USER32(?,?), ref: 001C92A5
ScreenToClient.USER32(?,?), ref: 001C92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001C92D3
EndPaint.USER32(?,?,?,?,?), ref: 001C9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002071EA

Part of subcall function 001C9339: BeginPath.GDI32(00000000), ref: 001C9357

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 6fd8ca302b5f76e0cf68c8a545080d247b26c6884b315e3243534e3c3a964af4
Instruction ID: 233d802e3ee455021b5ed2a73bf351360e73edbb5babab67895bc1463428055f
Opcode Fuzzy Hash: 6fd8ca302b5f76e0cf68c8a545080d247b26c6884b315e3243534e3c3a964af4
Instruction Fuzzy Hash: B8419D74105341AFD710DF24DC88FAA7BB8FF66720F140669F998862E2C7319855DB61

Function 002207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0022080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00220847
EnterCriticalSection.KERNEL32(?), ref: 00220863
LeaveCriticalSection.KERNEL32(?), ref: 002208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00220921

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 99c59b562cb6b127f5a301ef0ed16fae97ab8b29d1b055438f95be323a7a4227
Instruction ID: ae69d37ad4f24c2f5ad246b4be7014148fc6ea06178f24fec61e93f73f1253fe
Opcode Fuzzy Hash: 99c59b562cb6b127f5a301ef0ed16fae97ab8b29d1b055438f95be323a7a4227
Instruction Fuzzy Hash: 7D416A71900205EFDF14EF94EC85AAA77B9FF14700F1440A9ED049A297DB70DE61DBA4

Function 002481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0020F3AB,00000000,?,?,00000000,?,0020682C,00000004,00000000,00000000), ref: 0024824C
EnableWindow.USER32(?,00000000), ref: 00248272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002482D1
ShowWindow.USER32(?,00000004), ref: 002482E5
EnableWindow.USER32(?,00000001), ref: 0024830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0024832F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3e0526ea523562aa74f2424af7c655c500c6249d901ac725db0ed061008523c4
Instruction ID: abbe6a6e2b2d0cf9ff950ac0257b715e174685c91bf52a0e781adec3476525dd
Opcode Fuzzy Hash: 3e0526ea523562aa74f2424af7c655c500c6249d901ac725db0ed061008523c4
Instruction Fuzzy Hash: 0741C834622645AFDB1ACF14D899BE87BE4FB46714F1841A9E9084F2B2CB71AC61CF50

Function 00214C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00214C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00214CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00214CEA
_wcslen.LIBCMT ref: 00214D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00214D10
_wcsstr.LIBVCRUNTIME ref: 00214D1A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ba12452b7fa785203811464780e258d0e6d7ed9d9a37b2f231ce82f31d66c77c
Instruction ID: 76f6e494d06290726321cb2770bb6f8ec1d75b24a40c26ea5e86f7851527672b
Opcode Fuzzy Hash: ba12452b7fa785203811464780e258d0e6d7ed9d9a37b2f231ce82f31d66c77c
Instruction Fuzzy Hash: 5C2149312152017BEB196F39BC09EBB7BDCDF65710F10803EF809CA192EB60CC5182A0

Function 0022581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B3A97,?,?,001B2E7F,?,?,?,00000000), ref: 001B3AC2

_wcslen.LIBCMT ref: 0022587B
CoInitialize.OLE32(00000000), ref: 00225995
CoCreateInstance.OLE32(0024FCF8,00000000,00000001,0024FB68,?), ref: 002259AE
CoUninitialize.OLE32 ref: 002259CC

Strings

.lnk, xrefs: 00225876, 002258C1, 00225985

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 3c4d3afc14aaba5a63694e004908ea310e5a538c8ea4511b8f3df7d65839496a
Instruction ID: fd8a8f52b3440fb93d9035f01a7bbabf0587b23b5aea4780f42cc9a5e4f216c6
Opcode Fuzzy Hash: 3c4d3afc14aaba5a63694e004908ea310e5a538c8ea4511b8f3df7d65839496a
Instruction Fuzzy Hash: 2DD18370618721AFC714DF64D484A6ABBE1FF99314F10885DF88A9B361DB31EC45CB92

Function 0021175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00210FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00210FCA
Part of subcall function 00210FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00210FD6
Part of subcall function 00210FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00210FE5
Part of subcall function 00210FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00210FEC
Part of subcall function 00210FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00211002

GetLengthSid.ADVAPI32(?,00000000,00211335), ref: 002117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002117BA
HeapAlloc.KERNEL32(00000000), ref: 002117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002117DA
GetProcessHeap.KERNEL32(00000000,00000000,00211335), ref: 002117EE
HeapFree.KERNEL32(00000000), ref: 002117F5

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ff697e3ca77e4dcd10adb40bb88f81f1b1243507de484efef6417fef4a56bd15
Instruction ID: b02d07c674b5135422eaad00e64df2d5502bd45dd6c02bff9b689e5661329fd2
Opcode Fuzzy Hash: ff697e3ca77e4dcd10adb40bb88f81f1b1243507de484efef6417fef4a56bd15
Instruction Fuzzy Hash: FB11EE35522606FFDB109FA8DC49BEEBBE8EB52315F204028F5459B290C731A9A1CB60

Function 002114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002114FF
OpenProcessToken.ADVAPI32(00000000), ref: 00211506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00211515
CloseHandle.KERNEL32(00000004), ref: 00211520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0021154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00211563

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: fb08d52156ae2a494df20dd66dea439077d77422ed3dfab76b8ac3785a9e546f
Instruction ID: 003ccc43e8bf77d83f92c99ef560b753796e438788c9f458d4925a58d2234c93
Opcode Fuzzy Hash: fb08d52156ae2a494df20dd66dea439077d77422ed3dfab76b8ac3785a9e546f
Instruction Fuzzy Hash: 6511597660220AABDF119F98ED49BDE7BA9EF49B04F144014FA05A2060C3758EA0DB60

Function 001D3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001D3379,001D2FE5), ref: 001D3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001D339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001D33B7
SetLastError.KERNEL32(00000000,?,001D3379,001D2FE5), ref: 001D3409

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a558b995b7e578d6a4f6b420fb53872e823209da72b0216d6bf6b2023743002d
Instruction ID: fd92bf0e0fe0f376183485a6d912cad9fd383cedc644114c14274c1dfd79ec4e
Opcode Fuzzy Hash: a558b995b7e578d6a4f6b420fb53872e823209da72b0216d6bf6b2023743002d
Instruction Fuzzy Hash: 8E014733209321BFAA292BB97C895272A94FB25379330022FF430803F0EF218E019186

Function 001E2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001E5686,001F3CD6,?,00000000,?,001E5B6A,?,?,?,?,?,001DE6D1,?,00278A48), ref: 001E2D78
_free.LIBCMT ref: 001E2DAB
_free.LIBCMT ref: 001E2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,001DE6D1,?,00278A48,00000010,001B4F4A,?,?,00000000,001F3CD6), ref: 001E2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,001DE6D1,?,00278A48,00000010,001B4F4A,?,?,00000000,001F3CD6), ref: 001E2DEC
_abort.LIBCMT ref: 001E2DF2

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8411905fa15759d8189aa505b38d1a45a64df855fb22a0b5ef4f630669e7c4c6
Instruction ID: e7d12a921ced41967c90f203bd4a09aa738645868558f8f3c4b373cb25d0372d
Opcode Fuzzy Hash: 8411905fa15759d8189aa505b38d1a45a64df855fb22a0b5ef4f630669e7c4c6
Instruction Fuzzy Hash: FCF02D35505D8027C25637BB7C2EE1E165DBFD27A4F354028F629D31D2EF3488014120

Function 00248A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 001C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001C9693
Part of subcall function 001C9639: SelectObject.GDI32(?,00000000), ref: 001C96A2
Part of subcall function 001C9639: BeginPath.GDI32(?), ref: 001C96B9
Part of subcall function 001C9639: SelectObject.GDI32(?,00000000), ref: 001C96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00248A4E
LineTo.GDI32(?,00000003,00000000), ref: 00248A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00248A70
LineTo.GDI32(?,00000000,00000003), ref: 00248A80
EndPath.GDI32(?), ref: 00248A90
StrokePath.GDI32(?), ref: 00248AA0

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 9e7c0af503ed4558ccf462b55f4a9fc81f0a836be042d8de4fe81d3c1998dc51
Instruction ID: 70b34d3b688d63a59165080b8d25de603c5ab0ad3defcf5d63ada91d91e89531
Opcode Fuzzy Hash: 9e7c0af503ed4558ccf462b55f4a9fc81f0a836be042d8de4fe81d3c1998dc51
Instruction Fuzzy Hash: 3D11097A001159FFDB129F94EC88EAA7F6CEB09350F148012FA199A1A1C7719D65DBA0

Function 002151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00215218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00215229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00215230
ReleaseDC.USER32(00000000,00000000), ref: 00215238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0021524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00215261

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a8319687082e52f593faf51cdbfb2aad60612efee3313aba4c3eb7f15525e54d
Instruction ID: d690895251d068554ea4edc9a6a088edb44703a545067fa094f5296702ea860c
Opcode Fuzzy Hash: a8319687082e52f593faf51cdbfb2aad60612efee3313aba4c3eb7f15525e54d
Instruction Fuzzy Hash: 0A018F75A01719BBEB109FA99C49A4EBFB8EB89351F144065FE08A7291D6709C10CFA0

Function 001B1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001B1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 001B1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001B1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001B1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 001B1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 001B1C22

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 5c7c12a4234de8f87ae09045b017078f02e947e530ddf276ce95ee9da8048cf5
Instruction ID: 386572366797130e2ada894bc9a7107854f0fbf59b095bea6f424ecbaf4d79b0
Opcode Fuzzy Hash: 5c7c12a4234de8f87ae09045b017078f02e947e530ddf276ce95ee9da8048cf5
Instruction Fuzzy Hash: 120167B0902B5ABDE3008F6A8C85B52FFA8FF59354F00411BA15C4BA42C7F5A864CFE5

Function 0021EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0021EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0021EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0021EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0021EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0021EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0021EB75

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 83f8bb6c1ef1b2c019ebc8e61e9faa521029f5ff26deb801a50f0b43a3a2576e
Instruction ID: b8dd0ff62fc04eb7728950c06fcf76fa5212fa5769377f67a01a3d2691a903c0
Opcode Fuzzy Hash: 83f8bb6c1ef1b2c019ebc8e61e9faa521029f5ff26deb801a50f0b43a3a2576e
Instruction Fuzzy Hash: 02F09ABA202158BBE7205B66AC0EEEF3E7CEFCBF11F104158FA01D1090D7A01A01C6B4

Function 00207439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00207452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00207469
GetWindowDC.USER32(?), ref: 00207475
GetPixel.GDI32(00000000,?,?), ref: 00207484
ReleaseDC.USER32(?,00000000), ref: 00207496
GetSysColor.USER32(00000005), ref: 002074B0

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: c0bc03edd1fb736c0cb61ce4792940c158f8ca21c867b01d64f9cb66e7e218fb
Instruction ID: c4b6e59c6f4f533afe0475d51210b8d13f85994a461cd84e85031ddd9d49caa6
Opcode Fuzzy Hash: c0bc03edd1fb736c0cb61ce4792940c158f8ca21c867b01d64f9cb66e7e218fb
Instruction Fuzzy Hash: F9014B35811215EFDB915F68EC0CBAE7BB9FB05311F614164F915A21E2CB312E51AB50

Function 00211874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0021187F
UnloadUserProfile.USERENV(?,?), ref: 0021188B
CloseHandle.KERNEL32(?), ref: 00211894
CloseHandle.KERNEL32(?), ref: 0021189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002118A5
HeapFree.KERNEL32(00000000), ref: 002118AC

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 74ee2759457433044612de62307b5b4841864c8184529134c925b61b85892a97
Instruction ID: a91b97487984a05ceb0f1ad31513717014b5c4686b16f2db27057e573c997ce3
Opcode Fuzzy Hash: 74ee2759457433044612de62307b5b4841864c8184529134c925b61b85892a97
Instruction Fuzzy Hash: 20E0E53A206501BBDB416FA9FD0C90ABF39FF4AB22B208220F22981070CB329420DF50

Function 001BBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001BBEB3

Strings

D%(, xrefs: 001BBCA2
D%(D%(, xrefs: 001BBCA5
D%(, xrefs: 001BBE9A
D%(, xrefs: 001BBDED, 001BBD91, 001BBD1B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%($D%($D%($D%(D%(
API String ID: 1385522511-2826432073
Opcode ID: d3ee799876aff52c3f687f17aadd13af5399f430c044a5f676da5bc54b5112cd
Instruction ID: dc6545fd7101b64a7e5b7646d02a2692eda5570ab9fc07475945931f28ef4132
Opcode Fuzzy Hash: d3ee799876aff52c3f687f17aadd13af5399f430c044a5f676da5bc54b5112cd
Instruction Fuzzy Hash: 08915975A0820ACFCB18CF99C0D06EABBF1FF58314F64816AD945AB750D7B5E981CB90

Function 00237B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 001D0242: EnterCriticalSection.KERNEL32(0028070C,00281884,?,?,001C198B,00282518,?,?,?,001B12F9,00000000), ref: 001D024D
Part of subcall function 001D0242: LeaveCriticalSection.KERNEL32(0028070C,?,001C198B,00282518,?,?,?,001B12F9,00000000), ref: 001D028A

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 001D00A3: __onexit.LIBCMT ref: 001D00A9

__Init_thread_footer.LIBCMT ref: 00237BFB

Part of subcall function 001D01F8: EnterCriticalSection.KERNEL32(0028070C,?,?,001C8747,00282514), ref: 001D0202
Part of subcall function 001D01F8: LeaveCriticalSection.KERNEL32(0028070C,?,001C8747,00282514), ref: 001D0235

Strings

Variable must be of type 'Object'., xrefs: 00237C3A
+T , xrefs: 00237E2E
5, xrefs: 00237C78
G, xrefs: 00237C7F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T $5$G$Variable must be of type 'Object'.
API String ID: 535116098-4255551972
Opcode ID: 6d8489f2121e3840dc613ec639762aa0985afb1342426a43e1abce7bc2c5250a
Instruction ID: 8d5cce7e34387add40b91ad6e63fa278ef3bc2e2aafe26cd2767739e8781f0d5
Opcode Fuzzy Hash: 6d8489f2121e3840dc613ec639762aa0985afb1342426a43e1abce7bc2c5250a
Instruction Fuzzy Hash: 52918DB4A24209EFCF24EF94D891DADB7B1FF49300F508059F8069B292DB71AE65CB51

Function 0021C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B7620: _wcslen.LIBCMT ref: 001B7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0021C6EE
_wcslen.LIBCMT ref: 0021C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0021C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0021C7CA

Strings

0, xrefs: 0021C6AF

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 22bbe157fc05792c8aa1ead0c4aee9e8d765fc5bbd6247110ca7911d2d79a854
Instruction ID: be7275d54b28b62c908e7311b9b73ed39b6951e5f59329d9b23c6d7c99c97119
Opcode Fuzzy Hash: 22bbe157fc05792c8aa1ead0c4aee9e8d765fc5bbd6247110ca7911d2d79a854
Instruction Fuzzy Hash: D85104796A43429BD3109F28C885BFBB7ECAFA5310F24092DF591D21D0D7B0C8A5CB52

Function 0023AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0023AEA3

Part of subcall function 001B7620: _wcslen.LIBCMT ref: 001B7625

GetProcessId.KERNEL32(00000000), ref: 0023AF38
CloseHandle.KERNEL32(00000000), ref: 0023AF67

Strings

<, xrefs: 0023AE6B
@, xrefs: 0023AE72

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ec187183342623675f6ccb0d1ac0c6324a9da3c6f06138b4ea9affc2438ba118
Instruction ID: 82d97616ed8071b0cf471b94b961342874a68d330dc709b6ebc64b9e4fac96d1
Opcode Fuzzy Hash: ec187183342623675f6ccb0d1ac0c6324a9da3c6f06138b4ea9affc2438ba118
Instruction Fuzzy Hash: CC71ACB4A00219DFCB14DF58D485A9EBBF0FF18314F0484A9E856AB7A2CB75ED41CB91

Function 0021719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00217206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0021723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0021724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002172CF

Strings

DllGetClassObject, xrefs: 00217242

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ace7e68b856efb751e856b5da9d7d20d2cccb2ee643a0a2a524563851fe9b916
Instruction ID: def1771920c2a02eb99446ed9dc8104dbeece9b00fdd7e9f91a2c89da9812030
Opcode Fuzzy Hash: ace7e68b856efb751e856b5da9d7d20d2cccb2ee643a0a2a524563851fe9b916
Instruction Fuzzy Hash: 5B418171614204EFDB15CF54C884ADA7BF9EF99310F2480A9BD099F20AD7B1D995CBA0

Function 00242F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00242F8D
LoadLibraryW.KERNEL32(?), ref: 00242F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00242FA9
DestroyWindow.USER32(?), ref: 00242FB1

Strings

SysAnimate32, xrefs: 00242F68

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 25ca1ae248fe7852bd617c96926264bd8fe668c107a0d55d0f85a050fd889819
Instruction ID: efa7150cad419fc60afeec0259e1d280738e646da4b02efdfc2bdd326761acb1
Opcode Fuzzy Hash: 25ca1ae248fe7852bd617c96926264bd8fe668c107a0d55d0f85a050fd889819
Instruction Fuzzy Hash: DD21F071220206EBEB144F66DC84EBB37BDEB59364F924218F910D6490C371DC699760

Function 001D4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001D4D1E,001E28E9,?,001D4CBE,001E28E9,002788B8,0000000C,001D4E15,001E28E9,00000002), ref: 001D4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001D4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,001D4D1E,001E28E9,?,001D4CBE,001E28E9,002788B8,0000000C,001D4E15,001E28E9,00000002,00000000), ref: 001D4DC3

Strings

mscoree.dll, xrefs: 001D4D86
CorExitProcess, xrefs: 001D4D98

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b4f624c1876fc20204c9b74d4a3f2ef0d27cd05e3563bc30f295b8fcdff618cb
Instruction ID: 2d2d5dc15d4ce2b25098db4d5897aedaa1165d51df6ff8629cdea991a8027e9a
Opcode Fuzzy Hash: b4f624c1876fc20204c9b74d4a3f2ef0d27cd05e3563bc30f295b8fcdff618cb
Instruction Fuzzy Hash: 22F0C234A01208BBDB159F94EC4DBADBFB5EF09712F1000A9FC09A2260CB305E40CF94

Function 001B4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001B4EDD,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001B4EAE
FreeLibrary.KERNEL32(00000000,?,?,001B4EDD,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 001B4EA8
kernel32.dll, xrefs: 001B4E94

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 5d578596dcf16c3af1360bdbbbe8111a8f200711825f76b080b4c515d1b5b43d
Instruction ID: b7353fa0f44b724795551e306449c710e54f4439f6673d6d59ca9229edd6b4aa
Opcode Fuzzy Hash: 5d578596dcf16c3af1360bdbbbe8111a8f200711825f76b080b4c515d1b5b43d
Instruction Fuzzy Hash: D4E0CD39A035225BD271172D7C1CB9F6554AF83F627154115FC0CD2102DB64CD0185B5

Function 001B4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001F3CDE,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001B4E74
FreeLibrary.KERNEL32(00000000,?,?,001F3CDE,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 001B4E6E
kernel32.dll, xrefs: 001B4E5B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: cd0f84a3f55cda69f62c803d196df1c26ff3326c2fe46d9b438ac67c0a2f794e
Instruction ID: 2453c485c2ea7e377950fcb2ecc703875223454d6fefe298852b7e9528d980f0
Opcode Fuzzy Hash: cd0f84a3f55cda69f62c803d196df1c26ff3326c2fe46d9b438ac67c0a2f794e
Instruction Fuzzy Hash: 28D0C239503A215766621B287C0CDCB6B18AF87B113158110F80CA2111CF24CD01C5E0

Function 00222947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00222C05
DeleteFileW.KERNEL32(?), ref: 00222C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00222C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00222CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00222CC0

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 5cad39b3e52f7f1443207b34d1f48f9ed3efb7a89a4d45666c5a8276c3543557
Instruction ID: 482107fc7244db54da9f89fd4397a97cb9ec47ca950ce7a04bc0c1cafed37085
Opcode Fuzzy Hash: 5cad39b3e52f7f1443207b34d1f48f9ed3efb7a89a4d45666c5a8276c3543557
Instruction Fuzzy Hash: 4AB16D72910129BBDF21EFE4DC85EDEB7BDEF19300F1040A6F509A6241EB719A588F61

Function 0023A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0023A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0023A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0023A468
CloseHandle.KERNEL32(?), ref: 0023A63D

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 95f03030b3e16867489030ab36bfa7671daa0eedea34b759219f9363c6acc55b
Instruction ID: 3419bba67904b5b7e2177cb9f7e644e6aabf3ff7bfc2bedc4fcbbe2af19b7d7d
Opcode Fuzzy Hash: 95f03030b3e16867489030ab36bfa7671daa0eedea34b759219f9363c6acc55b
Instruction Fuzzy Hash: 7FA1C2B16043019FD720DF28D886F2AB7E5AF94714F14885CF59A9B3D2DBB0EC408B92

Function 001EBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00253700), ref: 001EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0028121C,000000FF,00000000,0000003F,00000000,?,?), ref: 001EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00281270,000000FF,?,0000003F,00000000,?), ref: 001EBC36
_free.LIBCMT ref: 001EBB7F

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001EBD4B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 7961a09b339fc086a0721a8dcd203551972d67dac61961165ead64764f3809ba
Instruction ID: cd7deac7d500747492aca34b8a756fab330c31686112844fb9e3e2c945d88f19
Opcode Fuzzy Hash: 7961a09b339fc086a0721a8dcd203551972d67dac61961165ead64764f3809ba
Instruction Fuzzy Hash: F0514975808659AFCB10EF76ACC59AFB7BCFF44320F20026AE414D3195EB309E418B90

Function 0021E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0021DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0021CF22,?), ref: 0021DDFD

Part of subcall function 0021DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0021CF22,?), ref: 0021DE16

Part of subcall function 0021E199: GetFileAttributesW.KERNEL32(?,0021CF95), ref: 0021E19A

lstrcmpiW.KERNEL32(?,?), ref: 0021E473
MoveFileW.KERNEL32(?,?), ref: 0021E4AC
_wcslen.LIBCMT ref: 0021E5EB
_wcslen.LIBCMT ref: 0021E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0021E650

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: fd069f089fce8edff063ba60d9569224cc942dd4cb27deb02485cfb23fbb153f
Instruction ID: 56f5b47b4afa2bfb830ecfcd1975f520c6ad67f13bf771eb8510925642d2c90e
Opcode Fuzzy Hash: fd069f089fce8edff063ba60d9569224cc942dd4cb27deb02485cfb23fbb153f
Instruction Fuzzy Hash: AA5183B24083859BCB24DF94DC819DB73ECAFA5340F10491EFA89D3151EF74A5988B66

Function 0023B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 0023C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0023B6AE,?,?), ref: 0023C9B5
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023C9F1
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA68
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0023BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0023BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0023BB63
RegCloseKey.ADVAPI32(?,?), ref: 0023BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0023BBB3

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ed6b3f3c8cc9384cd6c7f3de365d7248c52492b210142836d9a4fe08e78d03b1
Instruction ID: c2c0509aeb9cf67f1958912b1829da16a3e9b3939a4f6b218c7ab6ca4e3d82a2
Opcode Fuzzy Hash: ed6b3f3c8cc9384cd6c7f3de365d7248c52492b210142836d9a4fe08e78d03b1
Instruction Fuzzy Hash: 5F61C071218201AFC315DF24C490E6ABBE5FF84308F54899DF5998B2A2CB31ED46CB92

Function 00218BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00218BCD
VariantClear.OLEAUT32 ref: 00218C3E
VariantClear.OLEAUT32 ref: 00218C9D
VariantClear.OLEAUT32(?), ref: 00218D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00218D3B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: accd32d5603fd000b861936f19152746e90aed49f1826266dcf96d94a6374f48
Instruction ID: 28aa18d3cd409f9fb8542e15e456d3e82786bef9c9e04d638d67f990195e9d98
Opcode Fuzzy Hash: accd32d5603fd000b861936f19152746e90aed49f1826266dcf96d94a6374f48
Instruction Fuzzy Hash: D3518AB5A10619EFCB14CF68D884AAAB7F8FF99310B118569F905DB350E730E911CF90

Function 00228AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00228BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00228BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00228C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00228C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00228C5F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 88f3fbe753f9c461c16bbccaaf8edf9b717961932247a5a51540c44bfda68c1d
Instruction ID: 60efa0e5530be04df03619a7dcb9f099fa1ce4e6626c16b3865edeea55b19326
Opcode Fuzzy Hash: 88f3fbe753f9c461c16bbccaaf8edf9b717961932247a5a51540c44bfda68c1d
Instruction Fuzzy Hash: DA516C35A00215AFCB15DF65D881EADBBF5FF59314F088059E849AB3A2CB31ED51CBA0

Function 00238EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00238F40
GetProcAddress.KERNEL32(00000000,?), ref: 00238FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00238FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00239032
FreeLibrary.KERNEL32(00000000), ref: 00239052

Part of subcall function 001CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00221043,?,761DE610), ref: 001CF6E6
Part of subcall function 001CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0020FA64,00000000,00000000,?,?,00221043,?,761DE610,?,0020FA64), ref: 001CF70D

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: fe3571365a71e5d6b5cb72362a0719141c1b6b13bc16a1f2f5ce1e7f9a56df21
Instruction ID: 6dcf4cf17a6af691b376cd857b4262b21bbfa891a80e45b9ac334a3bc24fd098
Opcode Fuzzy Hash: fe3571365a71e5d6b5cb72362a0719141c1b6b13bc16a1f2f5ce1e7f9a56df21
Instruction Fuzzy Hash: 08514874605205DFCB14DF68C4848ADBBB1FF59314F1480A8E80A9B762DB71ED86CB90

Function 00246B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00246C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00246C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00246C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0022AB79,00000000,00000000), ref: 00246C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00246CC7

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 2f7cd2c42b0cab58088b81777cd1a27ccc899be0f64628524505fd265997f441
Instruction ID: b27398e79ffef281ef291057ee7a3f9d14a96311514f419e21e6635f72edbbb5
Opcode Fuzzy Hash: 2f7cd2c42b0cab58088b81777cd1a27ccc899be0f64628524505fd265997f441
Instruction Fuzzy Hash: 2141D735A24105AFD72CCF68DC9CFA97BA9EB0B350F150269F895A72E0C371ED61CA41

Function 001E2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001E20C3
_free.LIBCMT ref: 001E20E3

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9ae3fa5d31c192fc5a5486828d44fe36f6784c8171da842b80f2370f316949af
Instruction ID: 1398f736ee460d196fde8d5a16a67ad3d9511ebfb412636026f713ba9fe2974f
Opcode Fuzzy Hash: 9ae3fa5d31c192fc5a5486828d44fe36f6784c8171da842b80f2370f316949af
Instruction Fuzzy Hash: 0B41E232A006009FCB24DF79C891A9DB3E9EF99314F26456DE515EB392D731EE01CB80

Function 001C912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001C9141
ScreenToClient.USER32(00000000,?), ref: 001C915E
GetAsyncKeyState.USER32(00000001), ref: 001C9183
GetAsyncKeyState.USER32(00000002), ref: 001C919D

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 2fe1b61018c9bf7e217b0bb872e582f8f756d8c138fab6fe56e6d671e0c94fb2
Instruction ID: a82aaab5a1738aaa6be66b2988d291a308b19cb4fcf135b65006266d6a313bc6
Opcode Fuzzy Hash: 2fe1b61018c9bf7e217b0bb872e582f8f756d8c138fab6fe56e6d671e0c94fb2
Instruction Fuzzy Hash: 34415131A0860BEBDF199F64C849BEEF775FB15330F244219E429A22D1C770A964CF91

Function 00223874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00223922
TranslateMessage.USER32(?), ref: 0022394B
DispatchMessageW.USER32(?), ref: 00223955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00223966

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4c5f0a0f9e2d6d7f6e075e94d5a2001b432ee89899adbea705ab8809a8571089
Instruction ID: b640538b95479d0cd4dafa945cb79b27e8ca1de7937e175c5f43caca1857be78
Opcode Fuzzy Hash: 4c5f0a0f9e2d6d7f6e075e94d5a2001b432ee89899adbea705ab8809a8571089
Instruction Fuzzy Hash: 4131B574925362FEEB25CFB4B84DBB637A8AB06300F140569E452961E0E3FC96E5CB11

Function 0022CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0022C21E,00000000), ref: 0022CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0022CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0022C21E,00000000), ref: 0022CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0022C21E,00000000), ref: 0022CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0022C21E,00000000), ref: 0022CFF2

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 1b963528d60c7c95ea78600a0ffc795a292cccdbf2c37046a326acb2f977fa54
Instruction ID: 4c7ddc64ac2ef28e9cd67fd59923f20faf046258c7addf168ca538d40a42d2e9
Opcode Fuzzy Hash: 1b963528d60c7c95ea78600a0ffc795a292cccdbf2c37046a326acb2f977fa54
Instruction Fuzzy Hash: 95318B71510216FFDB20DFE9E984AAEBBF9EB14350B20402EF506D2550DB70EE519B60

Function 00211901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00211915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002119E2

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: fc31c6fac8d6b6479b1791bd637f66cef6c11f80f520c23fc3ef62ce6d4b5f3f
Instruction ID: 0f0baf0fc577348baf8124a22b25f203852d8a95d44c40a14f06082e2a3631f0
Opcode Fuzzy Hash: fc31c6fac8d6b6479b1791bd637f66cef6c11f80f520c23fc3ef62ce6d4b5f3f
Instruction Fuzzy Hash: BB31E27191021AEFCB04CFACDD9DADE3BB5EB55314F108225FA25A72D0C37099A4CB90

Function 00245706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00245745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0024579D
_wcslen.LIBCMT ref: 002457AF
_wcslen.LIBCMT ref: 002457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00245816

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 5d88ae40eab6f800645eaf0b2e1127ea0927f03f85c6e663ea3629b0eb1e4459
Instruction ID: 445eb5753e8f4233906373572e1617a56e3be470f31ea7f5fac2e15771077f16
Opcode Fuzzy Hash: 5d88ae40eab6f800645eaf0b2e1127ea0927f03f85c6e663ea3629b0eb1e4459
Instruction Fuzzy Hash: E721D5749246289BDB248F64CC85AEDB7BCFF05324F108216F969EA1C1D7708995CF50

Function 00230930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00230951
GetForegroundWindow.USER32 ref: 00230968
GetDC.USER32(00000000), ref: 002309A4
GetPixel.GDI32(00000000,?,00000003), ref: 002309B0
ReleaseDC.USER32(00000000,00000003), ref: 002309E8

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 9a27e9143e19d6c0d28734003911400eba7e692c5ed74c32778801a011a1a826
Instruction ID: 2d47ddb32deea60f46b26b4bcd5508c6cf43aca1a71f4c3fe69d509fdd6a062d
Opcode Fuzzy Hash: 9a27e9143e19d6c0d28734003911400eba7e692c5ed74c32778801a011a1a826
Instruction Fuzzy Hash: 9A21A479600214AFD714EFA8E888AAEB7F9EF45700F158068F84A97762CB70AD04CB50

Function 001ECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001ECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001ECDE9

Part of subcall function 001E3820: RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001ECE0F
_free.LIBCMT ref: 001ECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001ECE31

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 99ab800f0947addf9becf83ae1c668f97d1be533b4fb159ab7fe5b746728026c
Instruction ID: 0e532a76624708e26e67a26bd105dbb1c91e49b34bd2374f9b45c4535822bd0d
Opcode Fuzzy Hash: 99ab800f0947addf9becf83ae1c668f97d1be533b4fb159ab7fe5b746728026c
Instruction Fuzzy Hash: 2D018476602A957F23251ABB7C8DD7F6D6DEEC7FA13250129F909D7201EB618D0281F0

Function 001C9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001C9693
SelectObject.GDI32(?,00000000), ref: 001C96A2
BeginPath.GDI32(?), ref: 001C96B9
SelectObject.GDI32(?,00000000), ref: 001C96E2

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c8dd110abf90501ac821e970ae0ada29e0d30c5c8b1d980516654f32168c32fc
Instruction ID: 8daa4436f9598f4b58d808128f1e387266f0b38a6a05d266d7b59d8b9c00e34a
Opcode Fuzzy Hash: c8dd110abf90501ac821e970ae0ada29e0d30c5c8b1d980516654f32168c32fc
Instruction Fuzzy Hash: 26218E38803355EBDB119F68FC0CBA93BA8BB21325F20061AF414A61F1D37098A2CF94

Function 00215711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00215726
_memcmp.LIBVCRUNTIME ref: 00215744
_memcmp.LIBVCRUNTIME ref: 00215757
_memcmp.LIBVCRUNTIME ref: 0021576F
_memcmp.LIBVCRUNTIME ref: 00215787

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 071917a880a310869dfce56137d8662d70fa1b4731ffe71ab0d587a3b7a3ba78
Instruction ID: c4c59fe808cfe758d9b634dd227e719fa32c7bafac43d136f0ea561b4337e740
Opcode Fuzzy Hash: 071917a880a310869dfce56137d8662d70fa1b4731ffe71ab0d587a3b7a3ba78
Instruction Fuzzy Hash: 9C0196656A1615FAD24899109E83FFBB3DDABB63A4B004062FD049A281F760ED7186A0

Function 001E2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,001DF2DE,001E3863,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6), ref: 001E2DFD
_free.LIBCMT ref: 001E2E32
_free.LIBCMT ref: 001E2E59
SetLastError.KERNEL32(00000000,001B1129), ref: 001E2E66
SetLastError.KERNEL32(00000000,001B1129), ref: 001E2E6F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: b508067df1919a734c867532535f4a7af1b0afd1527749bf231182e698439c62
Instruction ID: 650fc22bf56aa1f4bd8df5e5eda42148907c1e0f01bf8f749b778eb2fcc2b1ac
Opcode Fuzzy Hash: b508067df1919a734c867532535f4a7af1b0afd1527749bf231182e698439c62
Instruction Fuzzy Hash: A5012836206EA067C626677B7C5ED2F2A5DABE27B5B324038F425A32D3EF748C014120

Function 0021000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?,?,0021035E), ref: 0021002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?), ref: 00210064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210070

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 51e69050b75a95bbde679337ed56578efcf3b17a4bc15b743423302df46d9204
Instruction ID: 4e18cd1c2a4099d6d95a7e18212b92ec380a4250c2ab430665e0b7ef69813d9a
Opcode Fuzzy Hash: 51e69050b75a95bbde679337ed56578efcf3b17a4bc15b743423302df46d9204
Instruction Fuzzy Hash: 3B01F27A611214BFDB114F68EC88BEA7AEDEF58791F204024F801D2210E7B1DED08BA0

Function 0021E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0021E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0021E9A5
Sleep.KERNEL32(00000000), ref: 0021E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0021E9B7
Sleep.KERNEL32 ref: 0021E9F3

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: ca4ec96d4a712a808a97832d7fae786d740e46794cd046fa56291d81c3c7f896
Instruction ID: 2ebaecd07f716fab53f0e78d4bf60600a72ef6aa35895f6ba68015c5ac31151d
Opcode Fuzzy Hash: ca4ec96d4a712a808a97832d7fae786d740e46794cd046fa56291d81c3c7f896
Instruction Fuzzy Hash: 9D015B35C1252DDBCF409FE8EC4DAEDBBB8BB19700F110556E906B2140DB7095A087A2

Function 002110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00211114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 0021112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0021114D

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: c8ba3ba9a336d8f648c280b60d83aeac8451e144cdbe96e1dd2a1c6b77df5c2d
Instruction ID: 8afbd939a2b9012f8f065d2ff5f5249b651c220fe20737bbf4ee8d6b17368ed9
Opcode Fuzzy Hash: c8ba3ba9a336d8f648c280b60d83aeac8451e144cdbe96e1dd2a1c6b77df5c2d
Instruction Fuzzy Hash: 4D018179101605BFDB514FA9EC4DEAA7FAEEF86364B200424FA49C3360DB31DC508E60

Function 00210FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00210FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00210FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00210FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00210FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00211002

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 81c2f7794f4fab072f17835341495b0ce7994a39f4ec8d8f2eed940401713951
Instruction ID: 2852ec81b4c5426b3a5b76f610cf0bd321cb4e936eb43d9a804080a8b7855944
Opcode Fuzzy Hash: 81c2f7794f4fab072f17835341495b0ce7994a39f4ec8d8f2eed940401713951
Instruction Fuzzy Hash: ECF06239602311EBD7215FA8EC4DF963FADEF8A761F204414FE49C7251CA70DC908A60

Function 00211014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0021102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00211036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00211045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0021104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00211062

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fc4b0f89a2362747434dfd93171517e4da80f0e1e16bffba1dd19ce11c8ed527
Instruction ID: 11a56e02865507b9db3e652d26dc9402b515fed783d271c10546e564c8373468
Opcode Fuzzy Hash: fc4b0f89a2362747434dfd93171517e4da80f0e1e16bffba1dd19ce11c8ed527
Instruction Fuzzy Hash: 47F06239602311EBD7215FA9EC4DF963FADEF8A761F200414FE49C7250CA70D890CA60

Function 0022030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 00220324
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 00220331
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 0022033E
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 0022034B
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 00220358
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 00220365

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3ebdaefee82bd5b5337d053a793c81467dc09c1fe741ed022cf3a64b8bfe999d
Instruction ID: 2f96db6bd507077138163f383ecd8a33bae45bdfd25766a8a0d2e390f9821aa8
Opcode Fuzzy Hash: 3ebdaefee82bd5b5337d053a793c81467dc09c1fe741ed022cf3a64b8bfe999d
Instruction Fuzzy Hash: 3001A272811B26AFC730AFA6E8C0416FBF5BF503153158A7FD19652932C3B1A964CF80

Function 001ED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001ED752

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001ED764
_free.LIBCMT ref: 001ED776
_free.LIBCMT ref: 001ED788
_free.LIBCMT ref: 001ED79A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f296488ac5aaad2757863b686af0049cd335249675e55509fe5f341e9c823072
Instruction ID: cc7878053bd095be1262853dcdecf9e983e44a5cd96d0877d45de549a46b7283
Opcode Fuzzy Hash: f296488ac5aaad2757863b686af0049cd335249675e55509fe5f341e9c823072
Instruction Fuzzy Hash: 94F09632900A98AB8625EB76F9C7C1E77DDBB04318BA51C09F04CE7502C734FCC08661

Function 00215C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00215C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00215C6F
MessageBeep.USER32(00000000), ref: 00215C87
KillTimer.USER32(?,0000040A), ref: 00215CA3
EndDialog.USER32(?,00000001), ref: 00215CBD

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: be1dfd4c5123aaf125f3ea24dae3ba7fe65b2880456802c1f7b1203fb8a7829b
Instruction ID: afad14b6eb0b356ac206a1ab19b6905a75fa97f178230950ca6756eec598fdb7
Opcode Fuzzy Hash: be1dfd4c5123aaf125f3ea24dae3ba7fe65b2880456802c1f7b1203fb8a7829b
Instruction Fuzzy Hash: A401D634511B14EBEB215F14ED4EFE677FCBB51B01F0001AAB683A10E0DBF4A9948A90

Function 001E22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001E22BE

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001E22D0
_free.LIBCMT ref: 001E22E3
_free.LIBCMT ref: 001E22F4
_free.LIBCMT ref: 001E2305

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e3b13d72bda0825a5d8ed87bf08640dba8c54c163ad0e0d546c4fee59286ecfb
Instruction ID: d6ca8b38e9bb9037032bab62aacad6769b57dcdf5d79695158cdd3a3c6d84a87
Opcode Fuzzy Hash: e3b13d72bda0825a5d8ed87bf08640dba8c54c163ad0e0d546c4fee59286ecfb
Instruction Fuzzy Hash: 85F054B94029748B8627AF65BC5A80C3B6CF738760711550AF518D72B6CB3404629FE5

Function 001C95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001C95D4
StrokeAndFillPath.GDI32(?,?,002071F7,00000000,?,?,?), ref: 001C95F0
SelectObject.GDI32(?,00000000), ref: 001C9603
DeleteObject.GDI32 ref: 001C9616
StrokePath.GDI32(?), ref: 001C9631

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 87420341f67da84129aa82e6486b78f8eafffe2ed75022c8b9ebc63be7d8cfb2
Instruction ID: 041165ffe2e7b377dc57035ace0d26b2e48464c2cc4b38a1bdb8cc41f46c35ed
Opcode Fuzzy Hash: 87420341f67da84129aa82e6486b78f8eafffe2ed75022c8b9ebc63be7d8cfb2
Instruction Fuzzy Hash: B3F04938007688EBDB265F69FD1CB683F69BB12322F148218F429550F2C73089A6DF20

Function 001E0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001E10F9
__freea.LIBCMT ref: 001E1117

Part of subcall function 001E1537: _free.LIBCMT ref: 001E154F

Strings

am/pm, xrefs: 001E117A
a/p, xrefs: 001E11DE

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 9e284516305cc23f24336508740e507838964853d476cf193ca3c16be52e48e6
Instruction ID: 8d21ac3afbd2f09bd5225618bf5d820a66e592acec64acb4ae79dc46eb170715
Opcode Fuzzy Hash: 9e284516305cc23f24336508740e507838964853d476cf193ca3c16be52e48e6
Instruction Fuzzy Hash: CBD13871900AC6FBCB289F6AC845BFEB7B1FF05710F290159EA01AB654D3759D80CB91

Function 002361D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 001D0242: EnterCriticalSection.KERNEL32(0028070C,00281884,?,?,001C198B,00282518,?,?,?,001B12F9,00000000), ref: 001D024D
Part of subcall function 001D0242: LeaveCriticalSection.KERNEL32(0028070C,?,001C198B,00282518,?,?,?,001B12F9,00000000), ref: 001D028A

Part of subcall function 001D00A3: __onexit.LIBCMT ref: 001D00A9

__Init_thread_footer.LIBCMT ref: 00236238

Part of subcall function 001D01F8: EnterCriticalSection.KERNEL32(0028070C,?,?,001C8747,00282514), ref: 001D0202
Part of subcall function 001D01F8: LeaveCriticalSection.KERNEL32(0028070C,?,001C8747,00282514), ref: 001D0235

Part of subcall function 0022359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002235E4
Part of subcall function 0022359C: LoadStringW.USER32(00282390,?,00000FFF,?), ref: 0022360A

Strings

x#(, xrefs: 00236353
x#(, xrefs: 0023636F
x#(, xrefs: 0023633A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#($x#($x#(
API String ID: 1072379062-2662966677
Opcode ID: 189b81a6f43c4caa42e3e2b423d14f794ad20c2c966b82780d699f640bacd1ac
Instruction ID: 6c08e0d3cd7b6e3fe9ac4cd88b05a236058826808b6a3d82e0501cb2e89d4191
Opcode Fuzzy Hash: 189b81a6f43c4caa42e3e2b423d14f794ad20c2c966b82780d699f640bacd1ac
Instruction Fuzzy Hash: 82C191B1A10106AFDB24DF98C894EBEB7B9FF58300F548069FA059B291DB70ED55CB90

Function 00212716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002121D0,?,?,00000034,00000800,?,00000034), ref: 0021B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00212760

Part of subcall function 0021B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0021B3F8

Part of subcall function 0021B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0021B355
Part of subcall function 0021B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00212194,00000034,?,?,00001004,00000000,00000000), ref: 0021B365
Part of subcall function 0021B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00212194,00000034,?,?,00001004,00000000,00000000), ref: 0021B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0021281A

Strings

@, xrefs: 00212832

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 33f9cba79aebdbde4b94a382b7801635b3ec3c6f01055f0b346ae20599f98b58
Instruction ID: af1217ee90a4dd57993368d32725668dd1cdeeb8b3c268d513a9c986851cf8f1
Opcode Fuzzy Hash: 33f9cba79aebdbde4b94a382b7801635b3ec3c6f01055f0b346ae20599f98b58
Instruction Fuzzy Hash: 84413D76900218AFDB15DFA4CD85ADEBBB8AF15300F108095FA55B7181DB706E99CB60

Function 001E172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 001E1769
_free.LIBCMT ref: 001E1834
_free.LIBCMT ref: 001E183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 001E1760, 001E1767, 001E1796, 001E17CE

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3417719964
Opcode ID: dd84217eaad9d7fc48cf5a7faaec4934cbf1b1c41380f5ffc8f6e47dc4a5ac6e
Instruction ID: 7eb12facd3046c36f18d5ddccad06fa7de1bc4753dd7361cdbc0aafd7b0139f4
Opcode Fuzzy Hash: dd84217eaad9d7fc48cf5a7faaec4934cbf1b1c41380f5ffc8f6e47dc4a5ac6e
Instruction Fuzzy Hash: 5F31AD75E00698BBDB21DB9A9C85D9EBBFCEB95710B1041AAF80497251D7708E41CBA0

Function 0021C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0021C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0021C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00281990,010C6150), ref: 0021C395

Strings

0, xrefs: 0021C2DF

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1652616519c9ff5d1c5ec30573652923b92a92d2cc11d7e7ac86bc127668c133
Instruction ID: 4d8dac09e9623c5bb6c77b56f80924b90099c10c4c95f70afe47d543afd7a170
Opcode Fuzzy Hash: 1652616519c9ff5d1c5ec30573652923b92a92d2cc11d7e7ac86bc127668c133
Instruction Fuzzy Hash: 004105352543029FD720DF24D884B9ABBE4BFA5310F20866EF861D72D1C730E895CB52

Function 00244416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0024CC08,00000000,?,?,?,?), ref: 002444AA
GetWindowLongW.USER32 ref: 002444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002444D7

Strings

SysTreeView32, xrefs: 0024447C

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 10d9c015c29dc3371ddcab64933b50905587bfc879849507bd4d30422a0c20bd
Instruction ID: b1fa946a6eb5f23ae3d98e16698dc0d78ae5145074afbc4eb2bc07d7924f2ae2
Opcode Fuzzy Hash: 10d9c015c29dc3371ddcab64933b50905587bfc879849507bd4d30422a0c20bd
Instruction Fuzzy Hash: 0531A231220606AFDF24AF38DC45BDA77A9EB19334F204715F979921D0D770EC609B50

Function 00216E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00216EED
VariantCopyInd.OLEAUT32(?,?), ref: 00216F08
VariantClear.OLEAUT32(?), ref: 00216F12

Strings

*j!, xrefs: 00216E8B, 00216E90, 00216EF8

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j!
API String ID: 2173805711-434145623
Opcode ID: 5c12f04603ea371718fa5905fb8815d17ef2d9d82faad891a9360ebf6a968be1
Instruction ID: 6d0cbc5a248b00fcb39342350f6d7927b8397e8f74fe06f4a63f6d0de03ef931
Opcode Fuzzy Hash: 5c12f04603ea371718fa5905fb8815d17ef2d9d82faad891a9360ebf6a968be1
Instruction Fuzzy Hash: F331B371618205DFCB15AFA4E8999FD37B9FFA5300B2004A8F9034B6B1C7B09D62DB90

Function 0023304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0023335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00233077,?,?), ref: 00233378

inet_addr.WSOCK32(?), ref: 0023307A
_wcslen.LIBCMT ref: 0023309B
htons.WSOCK32(00000000), ref: 00233106

Strings

255.255.255.255, xrefs: 00233095, 0023309A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 37c7f2205b1f4df1116ad9e8c899703d55d83d9d49faff0d23082bf1e2c1168f
Instruction ID: c58452be27aa32a140eab2000abf6839e7990d6f318c52d1508b0bd62476b558
Opcode Fuzzy Hash: 37c7f2205b1f4df1116ad9e8c899703d55d83d9d49faff0d23082bf1e2c1168f
Instruction Fuzzy Hash: 5431D5B96142069FCB24CF28C585EA977F0EF14318F248059E9158F392DB72DF55CB60

Function 00244653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00244705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00244713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0024471A

Strings

msctls_updown32, xrefs: 00244684

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3fb1037b33dba2fbb3fc94e675f5530d8beb047a5fe3ff86d16416c159397178
Instruction ID: e98dd7ade292568764f96816b9c817cb8ce2f5ff2c108341e7b91ab109620628
Opcode Fuzzy Hash: 3fb1037b33dba2fbb3fc94e675f5530d8beb047a5fe3ff86d16416c159397178
Instruction Fuzzy Hash: 3C218EB5611209AFDB15EF68DC85DA777ADEB5A394B000059FA049B391CB30EC22CB60

Function 002195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0021961D

Strings

#requireadmin, xrefs: 002195D9
#OnAutoItStartRegister, xrefs: 002195F3
#notrayicon, xrefs: 002195B7

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 37cecf339bc151f2e0388d86f4686b3ef5bbb6c08df72a9f12d6e7b458e0d542
Instruction ID: 9082aecd07a259718bcc1af5d9b1666712a241b98efbdf2daae4eeeb7b4d3235
Opcode Fuzzy Hash: 37cecf339bc151f2e0388d86f4686b3ef5bbb6c08df72a9f12d6e7b458e0d542
Instruction Fuzzy Hash: D3215E3212415166D331AF249C22FF773DDEFB5300F504026FA4997181EB91ADE2C2E5

Function 002437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00243840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00243850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00243876

Strings

Listbox, xrefs: 0024380F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3c2e54b676caa6eb7639f2d6e2940c81b71896a167de40f5c7060352e71addde
Instruction ID: 36f4009f7866b1fffe29743b6234b81194869c1ec5a73f67e13670dd581d34f6
Opcode Fuzzy Hash: 3c2e54b676caa6eb7639f2d6e2940c81b71896a167de40f5c7060352e71addde
Instruction Fuzzy Hash: AD21BE72620219BBEB25CF54DC85EAB7B6EEF99760F108124F9449B190C671DC628BA0

Function 002249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00224A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00224A5C
SetErrorMode.KERNEL32(00000000,?,?,0024CC08), ref: 00224AD0

Strings

%lu, xrefs: 00224A6F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 0679538410de5d39b27792ae43166f7a41725485ca91ae7f1ac77314d674642b
Instruction ID: 8668e3102ae54e82b91b0fbea34c0678229bfdb40f7c69a1b98296000c037faf
Opcode Fuzzy Hash: 0679538410de5d39b27792ae43166f7a41725485ca91ae7f1ac77314d674642b
Instruction Fuzzy Hash: 10318575A00119AFD710DF54D885EAA7BF8EF09304F148099F909DB252D771EE46CB61

Function 002441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0024424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00244264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00244271

Strings

msctls_trackbar32, xrefs: 00244226

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a8f6f8ebcf2c28be38f01ccf222170bdf13a9af2b5dbf293f8048abfc84ca6b0
Instruction ID: 7f42da36749c99528b26e3b0cd6027cab047b0b36e9409851ef8482e0f64b861
Opcode Fuzzy Hash: a8f6f8ebcf2c28be38f01ccf222170bdf13a9af2b5dbf293f8048abfc84ca6b0
Instruction Fuzzy Hash: 6B110631250208BEEF24AF29CC06FAB3BACEF95B54F110624FE55E6090D6B1DC219B10

Function 00212F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

Part of subcall function 00212DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00212DC5
Part of subcall function 00212DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00212DD6
Part of subcall function 00212DA7: GetCurrentThreadId.KERNEL32 ref: 00212DDD
Part of subcall function 00212DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00212DE4

GetFocus.USER32 ref: 00212F78

Part of subcall function 00212DEE: GetParent.USER32(00000000), ref: 00212DF9

GetClassNameW.USER32(?,?,00000100), ref: 00212FC3
EnumChildWindows.USER32(?,0021303B), ref: 00212FEB

Strings

%s%d, xrefs: 00212FFF

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 42b011b8b9d7226f6471827e5636feb7785c86df5d65a3e23dfcbd2af90a8dd0
Instruction ID: 4b5fbb34c167b021e1f1999ca8968bff57901b3a9147c7222f0c59c98a4e55e7
Opcode Fuzzy Hash: 42b011b8b9d7226f6471827e5636feb7785c86df5d65a3e23dfcbd2af90a8dd0
Instruction Fuzzy Hash: 78110275310205ABCF44BF64DC85EEE37AAAFA9304F008079F9099B142DF3099998F30

Function 00245882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002458EE
DrawMenuBar.USER32(?), ref: 002458FD

Strings

0, xrefs: 0024588F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 68ac03e2c4d3ebd76824acea5b14806b27689a1a93662185b8432a889b80f560
Instruction ID: 743996ba1e425549ce50345e4596d46df9416ca3ba41efd0c9fbc20f604048c0
Opcode Fuzzy Hash: 68ac03e2c4d3ebd76824acea5b14806b27689a1a93662185b8432a889b80f560
Instruction Fuzzy Hash: 3001C031510228EFDB209F11EC48FAEBBB5FF45760F108099E889DA152DB308A90EF60

Function 0021007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049d8fd83587175f661a462686c96438cece7cb6739f09f677f50df2b9132dc8
Instruction ID: 160dc08fe53587e0f1673dd42095b7eac83f2419a528721a8fda53c8e9bfbd3e
Opcode Fuzzy Hash: 049d8fd83587175f661a462686c96438cece7cb6739f09f677f50df2b9132dc8
Instruction Fuzzy Hash: 4EC15C75A1020AEFDB14CF94C898AAEB7B5FF58304F208598E815EB251D7B1EDD1CB90

Function 0023342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00233459
CoUninitialize.OLE32 ref: 00233463
VariantInit.OLEAUT32(?), ref: 0023346E
VariantClear.OLEAUT32(?), ref: 0023371B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 84c01f4a0a23ccb5f205cec0c6b88ddb83d807ddff277d4254448184064d3439
Instruction ID: 440294e29696ee91340549a8e15f0c37873b52dfb9df069ab323a8873e52ecd2
Opcode Fuzzy Hash: 84c01f4a0a23ccb5f205cec0c6b88ddb83d807ddff277d4254448184064d3439
Instruction Fuzzy Hash: 0CA14AB56143019FC710DF28C586A6AB7E5FF88714F04885DF98A9B3A2DB30EE01CB91

Function 00210436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0024FC08,?), ref: 002105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0024FC08,?), ref: 00210608
CLSIDFromProgID.OLE32(?,?,00000000,0024CC40,000000FF,?,00000000,00000800,00000000,?,0024FC08,?), ref: 0021062D
_memcmp.LIBVCRUNTIME ref: 0021064E

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: cecd374b207b3bca9823696dc5b15170d5ac44ee13cf5832b4682c1851dd4a39
Instruction ID: b99f3ba9bbb86beca8d8111502a07ddceb08dd22b8b48c1cf1b021225a583421
Opcode Fuzzy Hash: cecd374b207b3bca9823696dc5b15170d5ac44ee13cf5832b4682c1851dd4a39
Instruction Fuzzy Hash: 31813B71A10109EFCB04DF94C984EEEB7F9FF99315F204158E506AB250DB71AE86CB60

Function 0023A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0023A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0023A6BA

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0023A79C
CloseHandle.KERNEL32(00000000), ref: 0023A7AB

Part of subcall function 001CCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,001F3303,?), ref: 001CCE8A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: a8355b4d07833f7002e7e378a3af452e619657ad1222d39fe888ffdbcf1e23e0
Instruction ID: f58b2de340b2a29522fc98e38d6902b81d41aaebc5c4a9290069ba707b9405a9
Opcode Fuzzy Hash: a8355b4d07833f7002e7e378a3af452e619657ad1222d39fe888ffdbcf1e23e0
Instruction Fuzzy Hash: E8512CB1508301AFD710EF24D886E6BBBE8FF99754F40492DF58997251EB30D905CB92

Function 001F1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001F14C0

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3d88dc3779f05f8782dc60e6d817a65d9dfd6a9d45253071b23acfbc9c01bc47
Instruction ID: a4f29dd2a330cbe48ccff73a0510edd9c9aa0f3aa1e6b75909889545d9eb33bd
Opcode Fuzzy Hash: 3d88dc3779f05f8782dc60e6d817a65d9dfd6a9d45253071b23acfbc9c01bc47
Instruction Fuzzy Hash: 2D414D3150050CFBDB25ABFE9C466BE3AA5EFA1330F240226FA19D72D2E73489415271

Function 00246278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002462E2
ScreenToClient.USER32(?,?), ref: 00246315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00246382

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b45ea21910e33c5f8caaffccfef7a2d980edb60a9c0f68745e481772c7c13f21
Instruction ID: 80053a7191c4fa01de80175db5b7ff06fa86d059dcfb3afd54c29731850b0afd
Opcode Fuzzy Hash: b45ea21910e33c5f8caaffccfef7a2d980edb60a9c0f68745e481772c7c13f21
Instruction Fuzzy Hash: 5C515E74A1024AEFCF18DF58D8889AE7BB5FF46760F108199F8159B290D730EDA1CB51

Function 00231AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00231AFD
WSAGetLastError.WSOCK32 ref: 00231B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00231B8A
WSAGetLastError.WSOCK32 ref: 00231B94

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: fd063cad7231a44879c2afc667d2f1eeb0e505f3e37b84764433f4d58fb3e528
Instruction ID: 9e19b63df0fa96c3231c8699e4d5c9c586c7b3c41c14e9bf4f8abd301c53af08
Opcode Fuzzy Hash: fd063cad7231a44879c2afc667d2f1eeb0e505f3e37b84764433f4d58fb3e528
Instruction Fuzzy Hash: 5541C374600200AFE720AF24D88AF6A77E5AB54718F54848CF91A9F7D2D772DD52CB90

Function 001EB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e74604e1bb2adee3c32b3ceb966e6aa5bec0be321085cc315f837a5598fb2c
Instruction ID: 672ad9ea4469452590b32411c32ffc795610b5134e9a158ddb7f7fc9b25b987e
Opcode Fuzzy Hash: 88e74604e1bb2adee3c32b3ceb966e6aa5bec0be321085cc315f837a5598fb2c
Instruction Fuzzy Hash: 0041E672A04B44BFD7259F79CC81B6FBBA9EB94710F10452EF542DB2C2D771A9018780

Function 002256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00225783
GetLastError.KERNEL32(?,00000000), ref: 002257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002257FA

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: f948162cadb8882f23eafc0690f8e2f44b86f6503cec68d13bef7c2e8102a53b
Instruction ID: 4f8a76a0b3357b09f0f7df449efe38d449477741857b1de1e1e9ceefc141e863
Opcode Fuzzy Hash: f948162cadb8882f23eafc0690f8e2f44b86f6503cec68d13bef7c2e8102a53b
Instruction Fuzzy Hash: E9412C39600621DFCB21DF55D445A5EBBF2EF99320B19C488E84AAB762CB74FD40CB91

Function 001ED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,001D6D71,00000000,00000000,001D82D9,?,001D82D9,?,00000001,001D6D71,8BE85006,00000001,001D82D9,001D82D9), ref: 001ED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001ED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 001ED9AB
__freea.LIBCMT ref: 001ED9B4

Part of subcall function 001E3820: RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: b9d768b7965e9256336b6a52dd122a1d6d3e3476bfc64686d3ba737d223e26ee
Instruction ID: 6cab86817125caf3ccca7f87cb7495b5440f2d5125b10447e64328ed17fc84d3
Opcode Fuzzy Hash: b9d768b7965e9256336b6a52dd122a1d6d3e3476bfc64686d3ba737d223e26ee
Instruction Fuzzy Hash: 10310F72A0064AABDF24CF66EC45EAE7BA5EF41314F150169FC09D7251EB35CD50CBA0

Function 002452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00245352
GetWindowLongW.USER32(?,000000F0), ref: 00245375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00245382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002453A8

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 0836fc4e3f707ed7a462399258e689537517fcc4fb48fb1e6c95947fdb2c49cb
Instruction ID: 9be576f53b4187c37497af3561a9376894c8850170f23e289d72b4630f102fb0
Opcode Fuzzy Hash: 0836fc4e3f707ed7a462399258e689537517fcc4fb48fb1e6c95947fdb2c49cb
Instruction Fuzzy Hash: F431C634A76A29EFEB389E14CC09FE83F65AB05390F544181FA90961E2C7F49DA0DB41

Function 0021AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 0021ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0021AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0021AC74
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 0021ACC6

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c802616e53aa21a722544386e78a3cf320ad64a0eebfc3ca7f4ddde2511224dd
Instruction ID: 554a82ee8c7742784dfc67486fb23355b96c8bf5e0a15a1b406c257c002914e2
Opcode Fuzzy Hash: c802616e53aa21a722544386e78a3cf320ad64a0eebfc3ca7f4ddde2511224dd
Instruction Fuzzy Hash: 51312830A213196FEF35CF698C087FA7BE5ABA9310F04421BE485921D1D37589E587D2

Function 00247674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0024769A
GetWindowRect.USER32(?,?), ref: 00247710
PtInRect.USER32(?,?,00248B89), ref: 00247720
MessageBeep.USER32(00000000), ref: 0024778C

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: da2c44698c621f4254a523e5759dfe6872a131c87c856b10650d16b50bb8e011
Instruction ID: bb4d30d8644d387d25064c76a6c060c51b8b4d796cd37379e89d6f815263a37a
Opcode Fuzzy Hash: da2c44698c621f4254a523e5759dfe6872a131c87c856b10650d16b50bb8e011
Instruction Fuzzy Hash: 1D41B338616215DFCB19CF58D898EA9B7F9FF49314F5540A8E424DB2A1C730E952CF90

Function 002416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002416EB

Part of subcall function 00213A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00213A57
Part of subcall function 00213A3D: GetCurrentThreadId.KERNEL32 ref: 00213A5E
Part of subcall function 00213A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002125B3), ref: 00213A65

GetCaretPos.USER32(?), ref: 002416FF
ClientToScreen.USER32(00000000,?), ref: 0024174C
GetForegroundWindow.USER32 ref: 00241752

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 15992a3ebf6ea056706723ecb79c311465c5a8dbdb2fbbe73bdd9203905b84f8
Instruction ID: 570236894e33a4186d3242f3771241048c5d38f544dd7d65d8d804c81617b552
Opcode Fuzzy Hash: 15992a3ebf6ea056706723ecb79c311465c5a8dbdb2fbbe73bdd9203905b84f8
Instruction Fuzzy Hash: A2315E75D10109AFCB04EFA9C881CEEBBF9EF59304B5080AAE415E7211D7319E45CBA0

Function 00248FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

GetCursorPos.USER32(?), ref: 00249001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00207711,?,?,?,?,?), ref: 00249016
GetCursorPos.USER32(?), ref: 0024905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00207711,?,?,?), ref: 00249094

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: f3049ce292a50ae85b50d02003f555e2e22239638a24534b6dda9ce388827893
Instruction ID: 16277a3f78526d29d986361b5ce432db2454ab9ec3b91fcec8c2c1d92cfd37ab
Opcode Fuzzy Hash: f3049ce292a50ae85b50d02003f555e2e22239638a24534b6dda9ce388827893
Instruction Fuzzy Hash: E121BF35611018EFDB29CF98D859EEB3BB9EB8A350F104069F905572A1C7319DA0DB60

Function 0021D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0024CB68), ref: 0021D2FB
GetLastError.KERNEL32 ref: 0021D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0021D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0024CB68), ref: 0021D376

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: cf5bf6dd6093b9e47705a2ac35c162b4202d8223fa100e1db09dc5adda78fdcb
Instruction ID: 1ed8007950ebeace61e6220a924150f641200eba6bc9f6d80424820be22994e4
Opcode Fuzzy Hash: cf5bf6dd6093b9e47705a2ac35c162b4202d8223fa100e1db09dc5adda78fdcb
Instruction Fuzzy Hash: 8221D170519202DF8300DF28D8818EA77E4EE66324F204A5DF8A9C72A1DB30D996CF93

Function 00211571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00211014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0021102A
Part of subcall function 00211014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00211036
Part of subcall function 00211014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00211045
Part of subcall function 00211014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0021104C
Part of subcall function 00211014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00211062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002115BE
_memcmp.LIBVCRUNTIME ref: 002115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00211617
HeapFree.KERNEL32(00000000), ref: 0021161E

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 74c673c7ba15427b3b8e2d1f57a76d8d6a56942bc2d507ff87dbc9a9fce72ec2
Instruction ID: 46e715dfaec8c183b8f8ba499895e953c2e2ef155ca159ba8fe07aeeab1bd2f8
Opcode Fuzzy Hash: 74c673c7ba15427b3b8e2d1f57a76d8d6a56942bc2d507ff87dbc9a9fce72ec2
Instruction Fuzzy Hash: EC21BA31E11109EFDF00DFA4C948BEEB7F9EFA4344F184459E505AB241E731AAA4CBA0

Function 00242782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0024280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00242824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00242832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00242840

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 994fa81c744c548c0135cb3c50bc3e97c3038450beb63613342b532125331750
Instruction ID: 886d01a70823238aa48835d5290b49a64e2c1b347a2ccb3b16c4b2266bb6c961
Opcode Fuzzy Hash: 994fa81c744c548c0135cb3c50bc3e97c3038450beb63613342b532125331750
Instruction Fuzzy Hash: 82212435215111EFD7189B25C844FAAB799EF45324F648148F4168B6D2CB71FC46CBA0

Function 002178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00218D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0021790A,?,000000FF,?,00218754,00000000,?,0000001C,?,?), ref: 00218D8C
Part of subcall function 00218D7D: lstrcpyW.KERNEL32(00000000,?,?,0021790A,?,000000FF,?,00218754,00000000,?,0000001C,?,?,00000000), ref: 00218DB2
Part of subcall function 00218D7D: lstrcmpiW.KERNEL32(00000000,?,0021790A,?,000000FF,?,00218754,00000000,?,0000001C,?,?), ref: 00218DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00218754,00000000,?,0000001C,?,?,00000000), ref: 00217923
lstrcpyW.KERNEL32(00000000,?,?,00218754,00000000,?,0000001C,?,?,00000000), ref: 00217949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00218754,00000000,?,0000001C,?,?,00000000), ref: 00217984

Strings

cdecl, xrefs: 0021797B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 80bba729f64a224978adf2027a01efc5e21015775c9a10407d139d52645eede3
Instruction ID: 7e9e6a858d887f3940daacbe001d6429d043902a11c135ce137435a71f747cff
Opcode Fuzzy Hash: 80bba729f64a224978adf2027a01efc5e21015775c9a10407d139d52645eede3
Instruction Fuzzy Hash: 4011293A210342ABCB159F38D844EBA77F5FFA5350B10402EF906C72A4EB31D861C791

Function 00247CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00247D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00247D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00247D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0022B7AD,00000000), ref: 00247D6B

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 45239a6904f1960c4c68838be6fd2f654cca10cbe1fd6291f4fe2d33a6bc67f7
Instruction ID: 32acb6291345bd602c617c58adc032187c8ec5c73a09621630ba991a2a45a8ea
Opcode Fuzzy Hash: 45239a6904f1960c4c68838be6fd2f654cca10cbe1fd6291f4fe2d33a6bc67f7
Instruction Fuzzy Hash: F6117235625615EFCB149F68DC08E6A3BA9AF46360B258724F839D72F0D7309D61CB50

Function 00245660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002456BB
_wcslen.LIBCMT ref: 002456CD
_wcslen.LIBCMT ref: 002456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00245816

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: ab2c881845e8269cdb02c9fcf3c7d99b509109784f3ccd365017a233ddf49ef0
Instruction ID: fb5e3f39cf90e841fd4b67f2ec1e12d082d13baece56d770595f6f00a7bdc613
Opcode Fuzzy Hash: ab2c881845e8269cdb02c9fcf3c7d99b509109784f3ccd365017a233ddf49ef0
Instruction Fuzzy Hash: 94112975620625A7EF28DF75CC85AEE776CFF11364F104026F955D6082E7B0C9A0CB60

Function 00211A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00211A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00211A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00211A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00211A8A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0806d2366ca76ae69aec9e6bb4e110cf8eab5d6bff9ae99ad90b327ce00b3da7
Instruction ID: 34b042461d4271d4702ad5bc90baf0d040db868d2f4d1fe3d8e1985c1438128c
Opcode Fuzzy Hash: 0806d2366ca76ae69aec9e6bb4e110cf8eab5d6bff9ae99ad90b327ce00b3da7
Instruction Fuzzy Hash: AD11F73A901219FFEB119FA5C985FEDBBB8EF18750F200091EA04B7294D6716E60DB94

Function 0021E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0021E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0021E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0021E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0021E24D

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: a5dfc5267b92e1239d9bafa0006642c4a5c09e4d8a65ff3533fda554eb53ced6
Instruction ID: 9b55131b76df1ada7a6e35a564ade91030c19dabacc1ac7ceaf39405da6d8229
Opcode Fuzzy Hash: a5dfc5267b92e1239d9bafa0006642c4a5c09e4d8a65ff3533fda554eb53ced6
Instruction Fuzzy Hash: A111087AA05255BBCB019FACBC0DADE7FEC9B46321F104255FC14D3291D2B08D1087A0

Function 001DD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,001DCFF9,00000000,00000004,00000000), ref: 001DD218
GetLastError.KERNEL32 ref: 001DD224
__dosmaperr.LIBCMT ref: 001DD22B
ResumeThread.KERNEL32(00000000), ref: 001DD249

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a6adcb65cab897b99e9c97dd75b419f05631ec44da6c050e6a30cbab38dd5ccc
Instruction ID: 3d9def08cad7f398fb07fdcce8ea70e98293ad16e394ab9008559afcab3769d9
Opcode Fuzzy Hash: a6adcb65cab897b99e9c97dd75b419f05631ec44da6c050e6a30cbab38dd5ccc
Instruction Fuzzy Hash: 3001D6368051047BC7115BA9EC09BAE7B6DDF92730F20025AF925922D0CF71C901C6A0

Function 001B600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001B604C
GetStockObject.GDI32(00000011), ref: 001B6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 001B606A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b06efbbd13ed695559e87efefc89f13d1299a370ae90ce448b6793ecf75503ba
Instruction ID: 19635888d2630bdddcbfa0365adb37355365b5685f4eb64c365eb326a6e735ef
Opcode Fuzzy Hash: b06efbbd13ed695559e87efefc89f13d1299a370ae90ce448b6793ecf75503ba
Instruction Fuzzy Hash: 7C11AD72102508BFEF165FA5DC48EFABB6DFF293A4F100205FA0456020D73A9C60DBA0

Function 001D3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 001D3B56

Part of subcall function 001D3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 001D3AD2
Part of subcall function 001D3AA3: ___AdjustPointer.LIBCMT ref: 001D3AED

_UnwindNestedFrames.LIBCMT ref: 001D3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 001D3B7C
CallCatchBlock.LIBVCRUNTIME ref: 001D3BA4

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 0fc5c3f0fb3fc0332af9ca935901b6af4b2eabcb1b283d3885431be9c6ccb54d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 74010C32100149BBDF125F95CC46EEB7F6DEF58794F04401AFE5896221C732E961EBA1

Function 001E3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001B13C6,00000000,00000000,?,001E301A,001B13C6,00000000,00000000,00000000,?,001E328B,00000006,FlsSetValue), ref: 001E30A5
GetLastError.KERNEL32(?,001E301A,001B13C6,00000000,00000000,00000000,?,001E328B,00000006,FlsSetValue,00252290,FlsSetValue,00000000,00000364,?,001E2E46), ref: 001E30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001E301A,001B13C6,00000000,00000000,00000000,?,001E328B,00000006,FlsSetValue,00252290,FlsSetValue,00000000), ref: 001E30BF

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a18666c0fb911000ca46700c93a8239eb28ff68a2c63922a3697d1118b4870b2
Instruction ID: f2f58d412ec4a7fdc1110c199268a5cf0e2095104ee7890ea031454904b5f123
Opcode Fuzzy Hash: a18666c0fb911000ca46700c93a8239eb28ff68a2c63922a3697d1118b4870b2
Instruction Fuzzy Hash: 27012036302B62ABCB318B7FBC4C96F7B989F45771B210620F925D3140C721D901C6E0

Function 00217464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0021747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00217497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002174CA

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c02e93e7e088ae64996c99483d44a2a636d0da1588a58efc7b1eacc090ed7ef7
Instruction ID: 8ec2ef8c24f87e40661a09cf62f8d1722fea076c279dd6ef3ea788981da6137c
Opcode Fuzzy Hash: c02e93e7e088ae64996c99483d44a2a636d0da1588a58efc7b1eacc090ed7ef7
Instruction Fuzzy Hash: DC11A1B92163119BF7208F18ED08BD27BFCEB40B00F208569A656D6151D7B0E994DB60

Function 0021B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0021ACD3,?,00008000), ref: 0021B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0021ACD3,?,00008000), ref: 0021B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0021ACD3,?,00008000), ref: 0021B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0021ACD3,?,00008000), ref: 0021B126

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 501f6f820439e89bcb16d278d24e2bd43d8f5d6dd01a5ba8e6179adf5acda401
Instruction ID: 4927eb5dc75630c05a96cdd957a40fcb7ed292791f356227b147d6b7c0e59804
Opcode Fuzzy Hash: 501f6f820439e89bcb16d278d24e2bd43d8f5d6dd01a5ba8e6179adf5acda401
Instruction Fuzzy Hash: 4211A130C1251DE7CF019FE8E9586EEBBB8FF1A310F214095D949B2141CB3055A08B51

Function 00212DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00212DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00212DD6
GetCurrentThreadId.KERNEL32 ref: 00212DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00212DE4

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 6f8e876f27b673075ebec30b7f7e2bc9da9702f2addf5e113b876046859d1cb9
Instruction ID: 47e07f005e9bd3e3d8dc2e2436fac6ec2cd3a24e95ece2820a7f8999b6869e36
Opcode Fuzzy Hash: 6f8e876f27b673075ebec30b7f7e2bc9da9702f2addf5e113b876046859d1cb9
Instruction Fuzzy Hash: 3CE09275212628BBD7201FB6FC0DFEB3EACEF93BA1F214015F105D10809AA1C894C6B0

Function 00248863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 001C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001C9693
Part of subcall function 001C9639: SelectObject.GDI32(?,00000000), ref: 001C96A2
Part of subcall function 001C9639: BeginPath.GDI32(?), ref: 001C96B9
Part of subcall function 001C9639: SelectObject.GDI32(?,00000000), ref: 001C96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00248887
LineTo.GDI32(?,?,?), ref: 00248894
EndPath.GDI32(?), ref: 002488A4
StrokePath.GDI32(?), ref: 002488B2

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 1ab9da0c59b84c59bba9375d4036d41391cfc4fc0f4a9fe2f9c4a5e457e25623
Instruction ID: 8f116180a69ff310c6dcb5c26dcb2837f6659bc974e60007e4b2a88b94803cd2
Opcode Fuzzy Hash: 1ab9da0c59b84c59bba9375d4036d41391cfc4fc0f4a9fe2f9c4a5e457e25623
Instruction Fuzzy Hash: 1CF05E3A052259FADB125F98BC0DFCE3F59AF16310F148100FA11650E2C7755521CFE9

Function 001C98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001C98CC
SetTextColor.GDI32(?,?), ref: 001C98D6
SetBkMode.GDI32(?,00000001), ref: 001C98E9
GetStockObject.GDI32(00000005), ref: 001C98F1

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 1a5f89a8bb4aa0e982b8e856b272ac6ac4c7236b6807232ad52dbb6283a294b5
Instruction ID: 2d13335ff2d00b7f21e4ca09bad725c82fae4af3c3d8281397cebabc8ed12257
Opcode Fuzzy Hash: 1a5f89a8bb4aa0e982b8e856b272ac6ac4c7236b6807232ad52dbb6283a294b5
Instruction Fuzzy Hash: 3AE06D35645280AAEB615F78BC0DBE83F20AB16336F248219F6FE580E2C7B156509B10

Function 0021162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00211634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002111D9), ref: 0021163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002111D9), ref: 00211648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002111D9), ref: 0021164F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: fa6b2e31a410da755bfb75071d8747bdab15f1772bb591f8eb0339c7af4c2d3a
Instruction ID: a70061a4cdf4c98216b10212b7c76d852c3d58476f9bfac58e29541c6130d614
Opcode Fuzzy Hash: fa6b2e31a410da755bfb75071d8747bdab15f1772bb591f8eb0339c7af4c2d3a
Instruction Fuzzy Hash: 87E08635603211DBD7B01FE4BD0DB863BBCAF567D1F244808F745C9090D6B44490CB50

Function 0020D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0020D858
GetDC.USER32(00000000), ref: 0020D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0020D882
ReleaseDC.USER32(?), ref: 0020D8A3

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e9f407306eb0edd863328d1754faa6dce605d433a5608b964fff8b08b8c30b3c
Instruction ID: e88c1a5e627de7bba64b76e695809260660b6b2b043a46da03edf64f06220cce
Opcode Fuzzy Hash: e9f407306eb0edd863328d1754faa6dce605d433a5608b964fff8b08b8c30b3c
Instruction Fuzzy Hash: 46E01AB8801204DFCB819FE8E80CA6DBBB5FB49310F21D059F816E7260C7788911AF40

Function 0020D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0020D86C
GetDC.USER32(00000000), ref: 0020D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0020D882
ReleaseDC.USER32(?), ref: 0020D8A3

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 066386d898efb897627a41358c21fedcc243c96aff51506dc9323a7342039e46
Instruction ID: 72eabb65a76469d6b8ca09533813c725c443d78585f36074976b8d80c7239e3d
Opcode Fuzzy Hash: 066386d898efb897627a41358c21fedcc243c96aff51506dc9323a7342039e46
Instruction Fuzzy Hash: E9E04F78C01200DFCF909FB8E80C66DBBB5FB48310F219048F916E7260C77859019F40

Function 00224D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 001B7620: _wcslen.LIBCMT ref: 001B7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00224ED4

Strings

LPT, xrefs: 00224DFB
*, xrefs: 00224E10

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: a8c2f2ed21e7168ca52325840589fd1fa75b721774abf0339eba2f7ed1537a68
Instruction ID: 1c867d3ef3199d04c06bbe4d146e8e27255cbbb60fbee8a3cf97955425ff44a2
Opcode Fuzzy Hash: a8c2f2ed21e7168ca52325840589fd1fa75b721774abf0339eba2f7ed1537a68
Instruction Fuzzy Hash: 8191C375A10215EFCB14EF98D584EA9BBF1BF88304F158099E40A9F7A2C771ED85CB90

Function 001DE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001DE30D

Strings

pow, xrefs: 001DE2E5, 001DE302

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c1479c4527112b9b27b66f33c146ecbeebc736926aa91d6b6e335929f93a253b
Instruction ID: f1e43efb31292c1830e180c05cc9f5c92ed871272deed3fa52ea42e080f3c91c
Opcode Fuzzy Hash: c1479c4527112b9b27b66f33c146ecbeebc736926aa91d6b6e335929f93a253b
Instruction Fuzzy Hash: 27519E61A0CA42A6EB157715DD0537D3BE8FB50742F304D9AF0D58B3E8EB308C959A86

Function 00237771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0020569E,00000000,?,0024CC08,?,00000000,00000000), ref: 002378DD

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

CharUpperBuffW.USER32(0020569E,00000000,?,0024CC08,00000000,?,00000000,00000000), ref: 0023783B

Strings

<s', xrefs: 002377C8

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s'
API String ID: 3544283678-1932024504
Opcode ID: 4bfce9a146d337a26617dc89107b1c4d32fd81967c41ab4d16f674cbcf717040
Instruction ID: 6629b12767f69b8407eeb43c9f219f794a6ca593ea4213d65e551b768db2a681
Opcode Fuzzy Hash: 4bfce9a146d337a26617dc89107b1c4d32fd81967c41ab4d16f674cbcf717040
Instruction Fuzzy Hash: D0613BB2924219EACF14EFA4CC91DFDB3B8BF28700F544129F542A7191EB749A15DBA0

Function 001CE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 001CE1B1

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: f2ac39e8b1b0e4c6cf53bd819b13e9d5f87c90ff3a699f381aaa6ca9ba1602e5
Instruction ID: ac7be255200dba730d163655595e12842e9eb1815acfad704ebd2c933bb78353
Opcode Fuzzy Hash: f2ac39e8b1b0e4c6cf53bd819b13e9d5f87c90ff3a699f381aaa6ca9ba1602e5
Instruction Fuzzy Hash: ED51F035500346DFDF19DF28C481BBABBA8EF65310F258459E8919B2E1D734DDA2CB90

Function 001CF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 001CF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 001CF2BB

Strings

@, xrefs: 001CF2AF

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2e4be23d674aeb1d385ee00f81889bf6c351caf9b3a9d1a65acdb931d13da1a7
Instruction ID: 858963f615491f657ccf784da16378cb8b6c15f65ce8e6b5a243d2fd8642fd4f
Opcode Fuzzy Hash: 2e4be23d674aeb1d385ee00f81889bf6c351caf9b3a9d1a65acdb931d13da1a7
Instruction Fuzzy Hash: CC5135714087449BD320AF14EC8ABABBBF8FB95300F81885DF5D9811A5EB709529CB66

Function 00235745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002357E0
_wcslen.LIBCMT ref: 002357EC

Strings

CALLARGARRAY, xrefs: 002357E6, 002357EB

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 42e1b61591ce8327eb629bedd309bad6d4a140845e6229145aaa0f008c64a85b
Instruction ID: f447a937a1b72c64ae235a2352a895cb2e318bbc98f0f550a24008f215404bff
Opcode Fuzzy Hash: 42e1b61591ce8327eb629bedd309bad6d4a140845e6229145aaa0f008c64a85b
Instruction Fuzzy Hash: 4E41A071A1021A9FCB14DFA9C8859EEBBF5EF69310F204029E509A7251E7709D91CB90

Function 0022D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0022D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0022D13A

Strings

|, xrefs: 0022D10B

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d33c3c542ee9806752e603cdbfb2b7955d587e327f5f97af9a172cc65ec4bfa2
Instruction ID: f695fb563630c114cea886aba31461950884e63b17d6915eb11fdeacb1d7e0df
Opcode Fuzzy Hash: d33c3c542ee9806752e603cdbfb2b7955d587e327f5f97af9a172cc65ec4bfa2
Instruction Fuzzy Hash: D0313E75D10219ABCF15EFA4DC85AEEBFB9FF14300F100019F819A6166DB35A916DB50

Function 0024356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00243621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0024365C

Strings

static, xrefs: 002435BC

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3885879ea9507851d5914ffd85013aed5c62be42f841dc0d1faf4e9ff4d19d32
Instruction ID: 6401768460c93f18d6b8e17d80b511ec904c0e65a3def622fb0a900d17c66c30
Opcode Fuzzy Hash: 3885879ea9507851d5914ffd85013aed5c62be42f841dc0d1faf4e9ff4d19d32
Instruction Fuzzy Hash: EF319E71120605AEDB14DF28DC81EFB73ADFF98724F118619F8A597280DB70ADA1CB64

Function 00244537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0024461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00244634

Strings

', xrefs: 0024458E

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 5451d905ba3132d1662e9fbb7066f8a60c09fb0b85f819a30466e9cc2c7635a7
Instruction ID: d63ca288c62792d1908fe92c2a2630f388b14afdaf31f59d3d6ba1ad5e8e32c0
Opcode Fuzzy Hash: 5451d905ba3132d1662e9fbb7066f8a60c09fb0b85f819a30466e9cc2c7635a7
Instruction Fuzzy Hash: 40316A74A0130A9FDF18DFA9C980BDABBB9FF19300F50406AE905AB381D770A911CF90

Function 002431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0024327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00243287

Strings

Combobox, xrefs: 00243249

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 647791631cf878f10f58e400f1094a12156a34228579ab0dead35734b93a0634
Instruction ID: 55a198b6d30c64e21f1866cb00862089565b6b1c4ab536601f1ef95d1c180f13
Opcode Fuzzy Hash: 647791631cf878f10f58e400f1094a12156a34228579ab0dead35734b93a0634
Instruction Fuzzy Hash: D011B2713202097FFF29DE54DC85EBB376AEB98364F104125FD189B290D6B19D618B60

Function 00243710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001B604C
Part of subcall function 001B600E: GetStockObject.GDI32(00000011), ref: 001B6060
Part of subcall function 001B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001B606A

GetWindowRect.USER32(00000000,?), ref: 0024377A
GetSysColor.USER32(00000012), ref: 00243794

Strings

static, xrefs: 00243757

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6edf2aeeaad315aa84b1be1f4f1a756cd19283b803d6ed99bf04196d0013aaf7
Instruction ID: 0c87c4e3d0040624784bc55eb94f1eea3e1bb3d74b574db20a323587160c23a0
Opcode Fuzzy Hash: 6edf2aeeaad315aa84b1be1f4f1a756cd19283b803d6ed99bf04196d0013aaf7
Instruction Fuzzy Hash: F51129B262020AAFDB05DFA8CC46AEE7BB8EB09314F104515F995E2250D775E8619B50

Function 0022CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0022CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0022CDA6

Strings

<local>, xrefs: 0022CD66

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6108039f5f0cc1bc53bc9d85dd15bae285e482b112d6760a2a7e43bc1e21fe5b
Instruction ID: b90a2ef211f1dd138c58be928bfef25b91f87e142eecd1b566f4cb321e0281a3
Opcode Fuzzy Hash: 6108039f5f0cc1bc53bc9d85dd15bae285e482b112d6760a2a7e43bc1e21fe5b
Instruction Fuzzy Hash: B811C6752256327AD7384FA6AC49FEBBE6CEF127A4F204236B10983080D7749865D6F0

Function 00243429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002434BA

Strings

edit, xrefs: 0024348F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: aed0477364df773e0b7374b4b9a19751e25bfd642df45c37c82a214ed1df21cb
Instruction ID: 0933123b1f9cef95ae37ccdd59deb3e7e66fd4fb8f8e1122caad91ec6a038b27
Opcode Fuzzy Hash: aed0477364df773e0b7374b4b9a19751e25bfd642df45c37c82a214ed1df21cb
Instruction Fuzzy Hash: 8511CE71220209AFEB1A9F68EC44AFB376AEF15774F604324F964931E0C775DC619B60

Function 00216C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00216CB6
_wcslen.LIBCMT ref: 00216CC2

Strings

STOP, xrefs: 00216CBC, 00216CC1

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: ac832b985f8c5a62b930eb48de1b7f20360719a95cc6462c2e465dfc65bfca1d
Instruction ID: 9be594c1e7088cb78503a9e516b03dc449056c5b7067f1e489b572ad8cd7db6f
Opcode Fuzzy Hash: ac832b985f8c5a62b930eb48de1b7f20360719a95cc6462c2e465dfc65bfca1d
Instruction Fuzzy Hash: 4101C4326205278BCB209FFDEC889FF77E5EA757107500525E85296190EB31D9A0C690

Function 00211CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 00213CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00213CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00211D4C

Strings

ComboBox, xrefs: 00211CEB
ListBox, xrefs: 00211D16

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ea1793bf6ec9e40c61f99d1ef2cc7e680d6310de300fcb73e159f47de0e77646
Instruction ID: f9d0746ea0ffbc0e591234d5d096b1053e54d1ab120eb630d9defff541569f9c
Opcode Fuzzy Hash: ea1793bf6ec9e40c61f99d1ef2cc7e680d6310de300fcb73e159f47de0e77646
Instruction Fuzzy Hash: B9012831621218AB8B08EFA4DC51CFE77E8FF66350B10050AF922572C1EB705969C6A0

Function 00211BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 00213CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00213CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00211C46

Strings

ComboBox, xrefs: 00211BE5
ListBox, xrefs: 00211C10

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c31c4e8bd2ebf556a9da97c5bb1f5a566f623f0ac40ecbc4968b266fa2d0155e
Instruction ID: 1b52fc4a543e04067d6dd6c6521938d8be05288ba82ed66475f7ff06aa430dae
Opcode Fuzzy Hash: c31c4e8bd2ebf556a9da97c5bb1f5a566f623f0ac40ecbc4968b266fa2d0155e
Instruction Fuzzy Hash: 1201A7757A110967CB08EB90D9519FFB7E89F32340F14001AEA0667281EB709E7996F2

Function 00211C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 00213CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00213CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00211CC8

Strings

ComboBox, xrefs: 00211C69
ListBox, xrefs: 00211C94

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2111f520068516fa5984f6736567e19b5f2bad50957e07492645a90d3bdd3524
Instruction ID: 9c30a1d3cd8e1b28a12566f205ad6557dfbf76a9a0512fcbdb1b660060922140
Opcode Fuzzy Hash: 2111f520068516fa5984f6736567e19b5f2bad50957e07492645a90d3bdd3524
Instruction Fuzzy Hash: A701A77565111967CF04EB94CA41AFF77E89B32340B140016F90677281EB719F7996F2

Function 001CA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001CA529

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Strings

,%(, xrefs: 001CA509
3y , xrefs: 001CA545, 001CA54D, 001CA552

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%($3y
API String ID: 2551934079-4283432193
Opcode ID: b26250e7498093433c40f4035daae183153add75dc273f084bd079afb877d5d7
Instruction ID: 0a0812938b8dbd5612a8818dec43cb9c34f6ec32288ea684bbe3174b4ba9b3b6
Opcode Fuzzy Hash: b26250e7498093433c40f4035daae183153add75dc273f084bd079afb877d5d7
Instruction Fuzzy Hash: 5E01F73264161897C50AF768EC5BFAD3368DF25724F90401DFA01572C2DF50DD068A97

Function 00248172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00283018,0028305C), ref: 002481BF
CloseHandle.KERNEL32 ref: 002481D1

Strings

\0(, xrefs: 0024818A

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0(
API String ID: 3712363035-1880395983
Opcode ID: b782c8b4e2c6c627318ff791b58372631c65e82a638780f205cf3dc17a71097e
Instruction ID: 1ddd088edf47272c4b3633d07ca7125892ec8636e78d2f55c91860486be5ff5a
Opcode Fuzzy Hash: b782c8b4e2c6c627318ff791b58372631c65e82a638780f205cf3dc17a71097e
Instruction Fuzzy Hash: 79F054B9652300BAE320AB65BC49F773A5CEB15F54F004461FB08D51A1D6759A1093B5

Function 0023747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00237493
_wcslen.LIBCMT ref: 002374B9

Strings

3, 3, 16, 1, xrefs: 00237483

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: f98cd245714e4586d92bfd5cf06ec86d3c044867685a2580b468702b9990313f
Instruction ID: d128cb1e136ccefc27b72f7dffb3b4dc795a9cb6103b6a28dc287ff08c3175f3
Opcode Fuzzy Hash: f98cd245714e4586d92bfd5cf06ec86d3c044867685a2580b468702b9990313f
Instruction Fuzzy Hash: A4E0ABC6224321229234133A9CC197F4699CFDE350B10082BFA84C2366EBA49CB1C3A0

Function 00210B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00210B23

Strings

AutoIt, xrefs: 00210B17
Error allocating memory., xrefs: 00210B1C

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 9e490ed259e18782a0833050a145911d44790699a998b1dcb62c238ff76dfd85
Instruction ID: 1fb6cafaa1ad03e7aaa4aad8b3027956c632c5c0f6de793dad35e7f0350217fd
Opcode Fuzzy Hash: 9e490ed259e18782a0833050a145911d44790699a998b1dcb62c238ff76dfd85
Instruction Fuzzy Hash: C8E0D83129531837D2143799BC43FC97B888F26B20F20442FF748555C38BE164A006E9

Function 001D0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001CF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,001D0D71,?,?,?,001B100A), ref: 001CF7CE

IsDebuggerPresent.KERNEL32(?,?,?,001B100A), ref: 001D0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,001B100A), ref: 001D0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 001D0D7F

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c66b4b3c7851bb218eb9fe36a297de7753135dc6b2e145143fe9a5d52c94f9ad
Instruction ID: 01154ba2413158e7ac9cb9f3a644794d598470c9e5a7e49c0edc268728c4e4ae
Opcode Fuzzy Hash: c66b4b3c7851bb218eb9fe36a297de7753135dc6b2e145143fe9a5d52c94f9ad
Instruction Fuzzy Hash: 41E06D742007018BD3A1DFBCE5087827BE6AB18741F00892EE886C6751DBF4E4448BA1

Function 001CE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001CE3D5

Strings

0%(, xrefs: 001CE3B5
8%(, xrefs: 001CE3CA

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%($8%(
API String ID: 1385522511-1269923376
Opcode ID: a8ae189c5ad446aea039b3c7082e50b3164649b166a72afc16246ee5b46c98ac
Instruction ID: 3c72ebb03c3e15cecdd947367ccec0a9f4ab6553cb2eb1bb387e1fc66ac3a947
Opcode Fuzzy Hash: a8ae189c5ad446aea039b3c7082e50b3164649b166a72afc16246ee5b46c98ac
Instruction Fuzzy Hash: 59E020354A2950CBC60DA758B65DF4833D1FB3A320B94216DE001475D19B38B8458745

Function 00223017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0022302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00223044

Strings

aut, xrefs: 00223038

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 857b62b8f027c673d853ef79fae529f0bc9223780ebd0fe934626e32a8ee5a65
Instruction ID: 57dd727026c1e99c3fdf19810af352fd9aac1192b0334d3c600c5b099349fa21
Opcode Fuzzy Hash: 857b62b8f027c673d853ef79fae529f0bc9223780ebd0fe934626e32a8ee5a65
Instruction Fuzzy Hash: 2DD05E7650132867DB60E7A8AC0EFCB3A6CDB06750F0002A1BA55E2091DAF09984CAD4

Function 00242322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0024232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0024233F

Part of subcall function 0021E97B: Sleep.KERNEL32 ref: 0021E9F3

Strings

Shell_TrayWnd, xrefs: 00242325

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e363feeece95f1e7182143f57a5c239de56a0685ebe9803484d7d87acde155f4
Instruction ID: 1a429747ec781dcf9945cb32626ca5b818d35a598d7f2fcbcbedee680eb055ac
Opcode Fuzzy Hash: e363feeece95f1e7182143f57a5c239de56a0685ebe9803484d7d87acde155f4
Instruction Fuzzy Hash: 38D0227A3E1300B7E6ACB330EC0FFCABA189B01B00F118902770AAA0D0C8F0A800CE00

Function 00242356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0024236C
PostMessageW.USER32(00000000), ref: 00242373

Part of subcall function 0021E97B: Sleep.KERNEL32 ref: 0021E9F3

Strings

Shell_TrayWnd, xrefs: 00242365

Memory Dump Source

Source File: 00000000.00000002.1365119547.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1365090113.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365211853.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365273153.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365299993.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e397802a148695a5c7a2e4e68ab203d1c9dd54fc052e16a1fd93a2f3caa1f329
Instruction ID: 80563e2d31249e039cfa295a2de972c903612479acf86070077fb524c7032412
Opcode Fuzzy Hash: e397802a148695a5c7a2e4e68ab203d1c9dd54fc052e16a1fd93a2f3caa1f329
Instruction Fuzzy Hash: E5D0A9763D23007AE6A8A330AC0FFCAA6189B02B00F1189027706AA0D0C8B0A8008A04

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.1551371402.000002738ECCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1515889482.0000027395932000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1517268067.00000273953BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1516248039.000002739566A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1516248039.000002739566A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1515889482.0000027395932000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1517268067.00000273953BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513912321.0000027398044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1549552403.000002738E8B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1400956714.0000027395735000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1400956714.0000027395735000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1515889482.0000027395932000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1517268067.00000273953BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547342453.000002738F45B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1515889482.0000027395932000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1517268067.00000273953BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1516248039.000002739566A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2557604962.0000025178F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2557604962.0000025178F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1548260405.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1402386396.000002738F235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2557604962.0000025178F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1537284331.000002739513B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1538583192.00000273908BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549552403.000002738E8B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1461201965.000002738E1A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467701071.000002738E1A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1538583192.00000273908BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1537284331.000002739513B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1549552403.000002738E8A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.10:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.10:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.10:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.10:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.10:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.10:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.10:49893 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.10:49894 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f4bfca67-9f15-4210-9b05-fd5b6de50c36.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f4bfca67-9f15-4210-9b05-fd5b6de50c36.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre