Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574458
MD5:	9b55afc1ca0156a623d6c797cf48ea06
SHA1:	4ba883db2fc00f0ef478ba431904c67b9660a03b
SHA256:	835b3cbdb1fd7a062e79fe9146a6b46aa1fb12d8f408fef57672109f64b1acbe
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7636 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9B55AFC1CA0156A623D6C797CF48EA06)

taskkill.exe (PID: 7704 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7844 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7928 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7992 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 8056 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 8120 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8160 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8180 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6672 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2228 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {022ee35d-a47f-4ab3-bd88-1e2c404edb4e} 8180 "\\.\pipe\gecko-crash-server-pipe.8180" 1c6b916f510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4016 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4300 -parentBuildID 20230927232528 -prefsHandle 4292 -prefMapHandle 4288 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c7bbade-4914-4451-9f5f-f7af1ec7525f} 8180 "\\.\pipe\gecko-crash-server-pipe.8180" 1c6cb1eae10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6912 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5156 -prefMapHandle 5140 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6987848a-6474-4c66-8425-c2913ad113aa} 8180 "\\.\pipe\gecko-crash-server-pipe.8180" 1c6ca2c4310 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7636	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0056EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0056EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0056ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0056ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0056EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0055AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00589576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00589576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_45a1b46b-8
Source: file.exe, 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c27f8026-4
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_61006666-2
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_54114a55-e

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_000001C7A2798937 NtQuerySystemInformation,		19_2_000001C7A2798937
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_000001C7A27B24F2 NtQuerySystemInformation,		19_2_000001C7A27B24F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0055D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00551201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00551201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0055E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004FBF40	0_2_004FBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00562046	0_2_00562046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8060	0_2_004F8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00558298	0_2_00558298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052E4FF	0_2_0052E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052676B	0_2_0052676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00584873	0_2_00584873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004FCAF0	0_2_004FCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051CAA0	0_2_0051CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0050CC39	0_2_0050CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00526DD9	0_2_00526DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0050B119	0_2_0050B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F91C0	0_2_004F91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00511394	0_2_00511394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00511706	0_2_00511706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051781B	0_2_0051781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0050997D	0_2_0050997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F7920	0_2_004F7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005119B0	0_2_005119B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00517A4A	0_2_00517A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00511C77	0_2_00511C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00543CD2	0_2_00543CD2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00517CA7	0_2_00517CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0057BE44	0_2_0057BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00529EEE	0_2_00529EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00511F32	0_2_00511F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_000001C7A2798937	19_2_000001C7A2798937
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_000001C7A27B24F2	19_2_000001C7A27B24F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_000001C7A27B2C1C	19_2_000001C7A27B2C1C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_000001C7A27B2532	19_2_000001C7A27B2532

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0050F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00510A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004F9CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/38@73/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005637B5 GetLastError,FormatMessageW,

0_2_005637B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005510BF AdjustTokenPrivileges,CloseHandle,		0_2_005510BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005516C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005651CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0055D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0056648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0056648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004F42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000F.00000003.1567261460.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1532268035.000001C6D4A42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1577888147.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000F.00000003.1567261460.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1532268035.000001C6D4A42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1577888147.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000F.00000003.1567261460.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1532268035.000001C6D4A42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1577888147.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000F.00000003.1567261460.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1532268035.000001C6D4A42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1577888147.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000F.00000003.1550795868.000001C6C5F4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000F.00000003.1567261460.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1532268035.000001C6D4A42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1577888147.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000F.00000003.1567261460.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1532268035.000001C6D4A42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1577888147.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000F.00000003.1567261460.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1532268035.000001C6D4A42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1577888147.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000F.00000003.1567261460.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1532268035.000001C6D4A42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1577888147.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000F.00000003.1567261460.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1532268035.000001C6D4A42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1577888147.000001C6D4A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2228 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {022ee35d-a47f-4ab3-bd88-1e2c404edb4e} 8180 "\\.\pipe\gecko-crash-server-pipe.8180" 1c6b916f510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4300 -parentBuildID 20230927232528 -prefsHandle 4292 -prefMapHandle 4288 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c7bbade-4914-4451-9f5f-f7af1ec7525f} 8180 "\\.\pipe\gecko-crash-server-pipe.8180" 1c6cb1eae10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5156 -prefMapHandle 5140 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6987848a-6474-4c66-8425-c2913ad113aa} 8180 "\\.\pipe\gecko-crash-server-pipe.8180" 1c6ca2c4310 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2228 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {022ee35d-a47f-4ab3-bd88-1e2c404edb4e} 8180 "\\.\pipe\gecko-crash-server-pipe.8180" 1c6b916f510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4300 -parentBuildID 20230927232528 -prefsHandle 4292 -prefMapHandle 4288 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c7bbade-4914-4451-9f5f-f7af1ec7525f} 8180 "\\.\pipe\gecko-crash-server-pipe.8180" 1c6cb1eae10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5156 -prefMapHandle 5140 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6987848a-6474-4c66-8425-c2913ad113aa} 8180 "\\.\pipe\gecko-crash-server-pipe.8180" 1c6ca2c4310 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb@ source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: firefox.exe, 0000000F.00000003.1587424819.000001C6C8DDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1550012539.000001C6C8DDB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000F.00000003.1549731482.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587227283.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb@ source: firefox.exe, 0000000F.00000003.1549731482.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587227283.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000F.00000003.1549644598.000001C6C92D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000F.00000003.1549031430.000001C6C9329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8WinTypes.pdb source: firefox.exe, 0000000F.00000003.1550795868.000001C6C5FB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1550795868.000001C6C5F4F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xul.pdb source: firefox.exe, 0000000F.00000003.1549731482.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587227283.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: firefox.exe, 0000000F.00000003.1587424819.000001C6C8DDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1550012539.000001C6C8DDB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 0000000F.00000003.1547492886.000001C6C9345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc6.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb@ source: firefox.exe, 0000000F.00000003.1549731482.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1549644598.000001C6C92D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587227283.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000F.00000003.1549644598.000001C6C92D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 0000000F.00000003.1549865481.000001C6C9281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587291887.000001C6C928A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: firefox.exe, 0000000F.00000003.1549644598.000001C6C92D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000F.00000003.1549644598.000001C6C92D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 0000000F.00000003.1549865481.000001C6C9281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587291887.000001C6C928A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000F.00000003.1565960805.000001C6C65A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000F.00000003.1549031430.000001C6C9329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8CoreMessaging.pdb source: firefox.exe, 0000000F.00000003.1550795868.000001C6C5F4F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb@ source: firefox.exe, 0000000F.00000003.1587424819.000001C6C8DDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1550012539.000001C6C8DDB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000F.00000003.1547492886.000001C6C93CB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdbp source: firefox.exe, 0000000F.00000003.1549865481.000001C6C9281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587291887.000001C6C928A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: firefox.exe, 0000000F.00000003.1549865481.000001C6C9281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587291887.000001C6C928A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb@ source: firefox.exe, 0000000F.00000003.1549731482.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587227283.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb source: firefox.exe, 0000000F.00000003.1547492886.000001C6C9345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iphlpapi.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb@ source: firefox.exe, 0000000F.00000003.1549731482.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587227283.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 0000000F.00000003.1547492886.000001C6C9345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb source: firefox.exe, 0000000F.00000003.1549644598.000001C6C92D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb@ source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000F.00000003.1549644598.000001C6C92D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 0000000F.00000003.1549865481.000001C6C9281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587291887.000001C6C928A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8CoreUIComponents.pdb source: firefox.exe, 0000000F.00000003.1550795868.000001C6C5F4F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8cfgmgr32.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 0000000F.00000003.1549731482.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587227283.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DWrite.pdb source: firefox.exe, 0000000F.00000003.1549731482.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587227283.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb@ source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000F.00000003.1553063219.000001C6C659A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 0000000F.00000003.1549865481.000001C6C9281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587291887.000001C6C928A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8webauthn.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000F.00000003.1549865481.000001C6C9281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587291887.000001C6C928A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdbbrowser/places.ftl source: firefox.exe, 0000000F.00000003.1587424819.000001C6C8DDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1550012539.000001C6C8DDB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdbTEXT source: firefox.exe, 0000000F.00000003.1549644598.000001C6C92D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8TextInputFramework.pdb source: firefox.exe, 0000000F.00000003.1550795868.000001C6C5F4F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000F.00000003.1553063219.000001C6C659A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1549644598.000001C6C92D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000F.00000003.1549644598.000001C6C92D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1547492886.000001C6C9345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb@ source: firefox.exe, 0000000F.00000003.1549865481.000001C6C9281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587291887.000001C6C928A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb@ source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 0000000F.00000003.1549865481.000001C6C9281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587291887.000001C6C928A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb@ source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 0000000F.00000003.1549865481.000001C6C9281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587291887.000001C6C928A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8wtsapi32.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1550795868.000001C6C5F4F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb@ source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: firefox.exe, 0000000F.00000003.1547492886.000001C6C9345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.pdb source: firefox.exe, 0000000F.00000003.1550795868.000001C6C5FB8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb@ source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 0000000F.00000003.1547492886.000001C6C9345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000F.00000003.1549644598.000001C6C92D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000F.00000003.1547492886.000001C6C9370000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000F.00000003.1565960805.000001C6C65A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb@ source: firefox.exe, 0000000F.00000003.1549731482.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587227283.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: firefox.exe, 0000000F.00000003.1549731482.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587227283.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netprofm.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 0000000F.00000003.1549865481.000001C6C9281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587291887.000001C6C928A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8directmanipulation.pdb source: firefox.exe, 0000000F.00000003.1550795868.000001C6C5FB8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8setupapi.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: firefox.exe, 0000000F.00000003.1549731482.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587227283.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8lgpllibs.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb`w source: firefox.exe, 0000000F.00000003.1547492886.000001C6C93CB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.15.dr
Source:	Binary string: nssckbi.pdb@ source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winrnr.pdb source: firefox.exe, 0000000F.00000003.1547492886.000001C6C9345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000F.00000003.1547492886.000001C6C93CB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb source: firefox.exe, 0000000F.00000003.1549731482.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587227283.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000F.00000003.1547492886.000001C6C9370000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.15.dr
Source:	Binary string: 8wintrust.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: firefox.exe, 0000000F.00000003.1549731482.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587227283.000001C6C9299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000F.00000003.1547302090.000001C6C9B24000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8npmproxy.pdb source: firefox.exe, 0000000F.00000003.1552363680.000001C6C5F29000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004F42DE

Source: gmpopenh264.dll.tmp.15.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00510A76 push ecx; ret

0_2_00510A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0050F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0050F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00581C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00581C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95529

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 19_2_000001C7A2798937 rdtsc

19_2_000001C7A2798937

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0055DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052C2A2 FindFirstFileExW,	0_2_0052C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005668EE FindFirstFileW,FindClose,	0_2_005668EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0056698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0055D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0055D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00569642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00569642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0056979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00569B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00569B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00565C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00565C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004F42DE

Source: firefox.exe, 00000011.00000002.3154085268.00000291C981A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj*
Source: file.exe, 00000000.00000003.1399898312.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1399403465.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1402522331.000000000146C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1403392143.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1402317941.0000000001469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +%SystemRoot%\System32\mswsock.dllHyper-V RAW
Source: firefox.exe, 00000013.00000002.3158056584.000001C7A2830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWy
Source: file.exe, 00000000.00000003.1399898312.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1399403465.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1402522331.000000000146C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1403392143.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1402317941.0000000001469000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3154085268.00000291C981A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3153248496.000001C7A1FCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000011.00000002.3158953485.00000291C9E00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: firefox.exe, 00000014.00000002.3153660658.000001F26B51A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW 0
Source: firefox.exe, 00000011.00000002.3158397933.00000291C9D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3158953485.00000291C9E00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw<Y
Source: firefox.exe, 00000014.00000002.3157723402.000001F26B900000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW>
Source: firefox.exe, 00000011.00000002.3158953485.00000291C9E00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3158056584.000001C7A2830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000011.00000002.3158953485.00000291C9E00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$3

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 19_2_000001C7A2798937 rdtsc

19_2_000001C7A2798937

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0056EAA2 BlockInput,

0_2_0056EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00522622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00522622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004F42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00514CE8 mov eax, dword ptr fs:[00000030h]

0_2_00514CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00550B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00550B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00522622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00522622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0051083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005109D5 SetUnhandledExceptionFilter,	0_2_005109D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00510C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00510C21

Source: C:\Users\user\Desktop\file.exe

0_2_00551201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00532BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00532BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055B226 SendInput,keybd_event,

0_2_0055B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005722DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00550B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00551663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00551663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000F.00000003.1452234275.000001C6D550E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00510698 cpuid

0_2_00510698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0054D21C GetLocalTime,

0_2_0054D21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0054D27A GetUserNameW,

0_2_0054D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0052B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0052B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004F42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7636, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7636, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00571204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00571204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00571806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00571806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	26%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.110	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
dualstack.reddit.map.fastly.net	151.101.65.140	true	false	high
youtube-ui.l.google.com	172.217.17.46	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 0000000F.00000003.1576415553.000001C6CA2F8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000F.00000003.1576415553.000001C6CA2DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1576269808.000001C6CB3A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1542355882.000001C6CB393000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1582181546.000001C6CB3A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1576415553.000001C6CA2F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3154911124.000001C7A22C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3155221846.000001F26B8C3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000F.00000003.1567303448.000001C6D47D6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000F.00000003.1558393550.000001C6CB74D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1571764370.000001C6CB74E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.15.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000F.00000003.1492395082.000001C6D172C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000014.00000002.3155221846.000001F26B88E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000F.00000003.1532854934.000001C6D1CFD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000F.00000003.1583148249.000001C6CA725000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1420019887.000001C6CAC74000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000F.00000003.1579781838.000001C6CC9A8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://screenshots.firefox.com	firefox.exe, 0000000F.00000003.1588035693.000001C6C7750000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/notes/javascript-escapes#single	firefox.exe, 0000000F.00000003.1526888372.000001C6D52B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1552468743.000001C6D52B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1527898552.000001C6D52B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000F.00000003.1558393550.000001C6CB7AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1580529255.000001C6CB7AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1571764370.000001C6CB7AB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000F.00000003.1369075047.000001C6C8F63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1368478129.000001C6C8D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1368662840.000001C6C8F22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1368876656.000001C6C8F42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1369277786.000001C6C8F83000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000F.00000003.1596749833.000001C6CAAE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1423037999.000001C6CAADE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1549232137.000001C6C9315000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587027826.000001C6C9319000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1423037999.000001C6CAAE6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000F.00000003.1532268035.000001C6D4A18000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000F.00000003.1536980270.000001C6CC809000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1422881643.000001C6CC809000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000F.00000003.1535467477.000001C6D15E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1556719525.000001C6D15E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1569490263.000001C6D15E8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000F.00000003.1421531229.000001C6D1C75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1368876656.000001C6C8F42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1369277786.000001C6C8F83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1550795868.000001C6C5F4F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000F.00000003.1537094657.000001C6CC630000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000F.00000003.1369075047.000001C6C8F63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1368478129.000001C6C8D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1368662840.000001C6C8F22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1368876656.000001C6C8F42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000F.00000003.1420465749.000001C6CC7CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1421285643.000001C6C9FA8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000F.00000003.1579781838.000001C6CC9A8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000F.00000003.1532854934.000001C6D1CFD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 0000000F.00000003.1550795868.000001C6C5F72000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000F.00000003.1539840221.000001C6D477B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000F.00000003.1529744046.000001C6D5319000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://fpn.firefox.com	firefox.exe, 0000000F.00000003.1588035693.000001C6C7750000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587943078.000001C6C776E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000F.00000003.1580529255.000001C6CB777000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1558393550.000001C6CB778000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000F.00000003.1546498063.000001C6C9C6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1547492886.000001C6C938E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1579781838.000001C6CC9A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3154911124.000001C7A2203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3155221846.000001F26B80C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=htdv	firefox.exe, 00000011.00000002.3158053408.00000291C9CB0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000F.00000003.1436493785.000001C6C957C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000F.00000003.1583148249.000001C6CA725000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000F.00000003.1539840221.000001C6D477B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000F.00000003.1576415553.000001C6CA2DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1576269808.000001C6CB3A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1542355882.000001C6CB393000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1582181546.000001C6CB3A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1576415553.000001C6CA2F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3154911124.000001C7A22C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3155221846.000001F26B8C3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000F.00000003.1436493785.000001C6C957C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000F.00000003.1567355917.000001C6D4722000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://amazon.com	firefox.exe, 0000000F.00000003.1576415553.000001C6CA266000.00000004.00000800.00020000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000F.00000003.1549232137.000001C6C9315000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587027826.000001C6C9319000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.15.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000F.00000003.1571764370.000001C6CB7FC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000011.00000002.3155655367.00000291C9BCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3154911124.000001C7A22EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3158020908.000001F26BB03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.15.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000F.00000003.1580529255.000001C6CB777000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1558393550.000001C6CB778000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000F.00000003.1579781838.000001C6CC9A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3154911124.000001C7A2212000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3155221846.000001F26B813000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000F.00000003.1583148249.000001C6CA725000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.15.dr	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000F.00000003.1536980270.000001C6CC809000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1422881643.000001C6CC809000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000F.00000003.1547492886.000001C6C9370000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000F.00000003.1550487730.000001C6C77AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587791865.000001C6C77AC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000F.00000003.1535467477.000001C6D15E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1434152908.000001C6C95C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1509006207.000001C6C95BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1427675583.000001C6CA56B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1433287640.000001C6C94EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1527687538.000001C6D525E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1492886816.000001C6D1710000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1490676468.000001C6CCAE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1560021005.000001C6D5319000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1563360361.000001C6D1649000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1486549152.000001C6CA591000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1526888372.000001C6D5292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1427675583.000001C6CA568000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1575758821.000001C6CC629000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1542209349.000001C6CB3D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1496885709.000001C6C95BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1477743646.000001C6CA1F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1477743646.000001C6CA1F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1534685672.000001C6D16AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1433287640.000001C6C94DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1509614390.000001C6C95C2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000F.00000003.1537094657.000001C6CC630000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000F.00000003.1537094657.000001C6CC630000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.15.dr	false	high
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 0000000F.00000003.1421285643.000001C6C9FA8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.zhihu.com/	firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000F.00000003.1547492886.000001C6C9370000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000F.00000003.1492395082.000001C6D172C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000F.00000003.1535467477.000001C6D15E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1556719525.000001C6D15E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1569490263.000001C6D15E8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000F.00000003.1567418170.000001C6D1AA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1591897740.000001C6D1AA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1420019887.000001C6CAC74000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1422666198.000001C6D1AA5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000F.00000003.1535467477.000001C6D15E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1556719525.000001C6D15E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1569490263.000001C6D15E8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000F.00000003.1422666198.000001C6D1ACB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000F.00000003.1550487730.000001C6C77AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1371405568.000001C6C8B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587663046.000001C6C77BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000F.00000003.1544806190.000001C6CA217000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1584436226.000001C6CA219000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/	firefox.exe, 0000000F.00000003.1526888372.000001C6D52B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1552468743.000001C6D52B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1527898552.000001C6D52B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000011.00000002.3157903501.00000291C9C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3154416859.000001C7A20B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3157810310.000001F26BA00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000F.00000003.1570363999.000001C6D149F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1574609436.000001C6D149F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1593339118.000001C6D14A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1536061200.000001C6D149F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1557483963.000001C6D149F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000F.00000003.1436493785.000001C6C957C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000F.00000003.1550487730.000001C6C77AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1371405568.000001C6C8B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1587663046.000001C6C77BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000F.00000003.1539840221.000001C6D477B000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.181.110	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574458
Start date and time:	2024-12-13 10:55:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/38@73/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 51 Number of non-executed functions: 286
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.85.93.176, 44.228.225.150, 54.213.181.160, 172.217.17.46, 88.221.134.155, 88.221.134.209, 142.250.181.106, 142.250.181.138, 13.107.246.63, 23.218.208.109, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQ	Get hash	malicious	Unknown	Browse	34.144.206.118
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	j87MOFviv4.lnk	Get hash	malicious	Unknown	Browse	185.199.108.133
	DvGZE4FU02.lnk	Get hash	malicious	Unknown	Browse	185.199.108.133
	j3z5kxxt52.lnk	Get hash	malicious	Unknown	Browse	185.199.108.133
	zpbiw0htk6.lnk	Get hash	malicious	Unknown	Browse	185.199.110.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQ	Get hash	malicious	Unknown	Browse	151.101.66.137
	Uniswap Sniper Bot With GUI.exe	Get hash	malicious	Unknown	Browse	151.101.0.223
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQ	Get hash	malicious	Unknown	Browse	34.144.206.118
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_198a2e9f-0549-44c2-a620-219d37f8bcc2.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.171650964611462
Encrypted:	false
SSDEEP:	192:xMvMiHzEcbhbVbTbfbRbObtbyEl7nYrzJA6unSrDtTkd/S9Y:xFFcNhnzFSJ4rK1nSrDhkd/cY
MD5:	25E9FFE31614B8C3CE077A69D128664C
SHA1:	32BEDA94DF9AF55C8B43DE57FBB49B76E15BB0A1
SHA-256:	88E94264C934A95D5B66D281BD69757887C429F4A9E7D84C772F4178C5C37536
SHA-512:	DB9FB14718CB0533856FF264C94065628514196B6C999EFC208324FBBFCA734AC10B023EA507A35A80B89D7B938F8FC53E0048809724C75D62CD9D51B5D00F4F
Malicious:	false
Preview:	{"type":"uninstall","id":"198a2e9f-0549-44c2-a620-219d37f8bcc2","creationDate":"2024-12-13T10:59:15.250Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_198a2e9f-0549-44c2-a620-219d37f8bcc2.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.171650964611462
Encrypted:	false
SSDEEP:	192:xMvMiHzEcbhbVbTbfbRbObtbyEl7nYrzJA6unSrDtTkd/S9Y:xFFcNhnzFSJ4rK1nSrDhkd/cY
MD5:	25E9FFE31614B8C3CE077A69D128664C
SHA1:	32BEDA94DF9AF55C8B43DE57FBB49B76E15BB0A1
SHA-256:	88E94264C934A95D5B66D281BD69757887C429F4A9E7D84C772F4178C5C37536
SHA-512:	DB9FB14718CB0533856FF264C94065628514196B6C999EFC208324FBBFCA734AC10B023EA507A35A80B89D7B938F8FC53E0048809724C75D62CD9D51B5D00F4F
Malicious:	false
Preview:	{"type":"uninstall","id":"198a2e9f-0549-44c2-a620-219d37f8bcc2","creationDate":"2024-12-13T10:59:15.250Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3091443171862647
Encrypted:	false
SSDEEP:	24:JXdfYGAlTIUx2dWoM15rLN8zm3UdfYGAlswM+bpoqdWoM15rLFX1Rgm3SdfYGAlt:5dkiUgdw8zPdki6BdwsddkCadwu1
MD5:	AC69CDFDF0B39C9AA5D7820692AB28BD
SHA1:	5855CB2903273FBB9D504D076B57590F3668F74E
SHA-256:	1D1CD3967821BBC897B9E56B9082A93A67067AD6CDD8A956C05845CD131A183F
SHA-512:	858BDE101F078FC3FEDD8DB5ACBD46B3083EE753C299923C451EAB48304C90238ED89DDA4DAB1492EB9CA3C68B81BCCD8627DDFAE05F2B8BD9932A60118B690A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........JGEM..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.=..PROGRA~1..t......O.I.YWW....B...............J.......z.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.YPW............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.O..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........-........C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3091443171862647
Encrypted:	false
SSDEEP:	24:JXdfYGAlTIUx2dWoM15rLN8zm3UdfYGAlswM+bpoqdWoM15rLFX1Rgm3SdfYGAlt:5dkiUgdw8zPdki6BdwsddkCadwu1
MD5:	AC69CDFDF0B39C9AA5D7820692AB28BD
SHA1:	5855CB2903273FBB9D504D076B57590F3668F74E
SHA-256:	1D1CD3967821BBC897B9E56B9082A93A67067AD6CDD8A956C05845CD131A183F
SHA-512:	858BDE101F078FC3FEDD8DB5ACBD46B3083EE753C299923C451EAB48304C90238ED89DDA4DAB1492EB9CA3C68B81BCCD8627DDFAE05F2B8BD9932A60118B690A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........JGEM..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.=..PROGRA~1..t......O.I.YWW....B...............J.......z.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.YPW............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.O..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........-........C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6O8SBFH6OVLJZGKGDRPC.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	modified
Size (bytes):	5488
Entropy (8bit):	3.3091443171862647
Encrypted:	false
SSDEEP:	24:JXdfYGAlTIUx2dWoM15rLN8zm3UdfYGAlswM+bpoqdWoM15rLFX1Rgm3SdfYGAlt:5dkiUgdw8zPdki6BdwsddkCadwu1
MD5:	AC69CDFDF0B39C9AA5D7820692AB28BD
SHA1:	5855CB2903273FBB9D504D076B57590F3668F74E
SHA-256:	1D1CD3967821BBC897B9E56B9082A93A67067AD6CDD8A956C05845CD131A183F
SHA-512:	858BDE101F078FC3FEDD8DB5ACBD46B3083EE753C299923C451EAB48304C90238ED89DDA4DAB1492EB9CA3C68B81BCCD8627DDFAE05F2B8BD9932A60118B690A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........JGEM..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.=..PROGRA~1..t......O.I.YWW....B...............J.......z.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.YPW............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.O..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........-........C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RHOSW4FG1VL3GGJPL6XM.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3091443171862647
Encrypted:	false
SSDEEP:	24:JXdfYGAlTIUx2dWoM15rLN8zm3UdfYGAlswM+bpoqdWoM15rLFX1Rgm3SdfYGAlt:5dkiUgdw8zPdki6BdwsddkCadwu1
MD5:	AC69CDFDF0B39C9AA5D7820692AB28BD
SHA1:	5855CB2903273FBB9D504D076B57590F3668F74E
SHA-256:	1D1CD3967821BBC897B9E56B9082A93A67067AD6CDD8A956C05845CD131A183F
SHA-512:	858BDE101F078FC3FEDD8DB5ACBD46B3083EE753C299923C451EAB48304C90238ED89DDA4DAB1492EB9CA3C68B81BCCD8627DDFAE05F2B8BD9932A60118B690A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........JGEM..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.=..PROGRA~1..t......O.I.YWW....B...............J.......z.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.YPW............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.O..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........-........C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.940245251401469
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLL58P:8S+Oc+UAOdwiOdKeQjDLL58P
MD5:	73A272C62A6316D7F660E998516408BE
SHA1:	85B676FCB999BD242B097804A7832463B55229EC
SHA-256:	5151E6641A316ABC205F56DA14F8CA655BFDBCFDEAAA1C83DF5DE810C7BE8579
SHA-512:	2FD530E53BEF5EAB360C636BA6D225EBA8DAFAF70AE0F8A2FA012912B0CB594339F502EC50A3C3D71F602024476881EC04C2423D7B70AD4F604A62990E03248F
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.940245251401469
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLL58P:8S+Oc+UAOdwiOdKeQjDLL58P
MD5:	73A272C62A6316D7F660E998516408BE
SHA1:	85B676FCB999BD242B097804A7832463B55229EC
SHA-256:	5151E6641A316ABC205F56DA14F8CA655BFDBCFDEAAA1C83DF5DE810C7BE8579
SHA-512:	2FD530E53BEF5EAB360C636BA6D225EBA8DAFAF70AE0F8A2FA012912B0CB594339F502EC50A3C3D71F602024476881EC04C2423D7B70AD4F604A62990E03248F
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07330911190487333
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	24FCD83F6F7A85F2DB80645147DFA16F
SHA1:	134B1ACD6DF9137F78654428D73531AC1F3AB8B5
SHA-256:	954FA667ECB0F1564B4C502CDEDB50B2F56BC6922A190428CC50BD423537F1C7
SHA-512:	421BB7FE596134D6A7BE25C2BABBF4FF297C87194AD532614B7A7DD510373EA8A3A5CECF4965264D35AC9AF87295A5CB48F25845E7925D676B41296B77A572C0
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03960322595581722
Encrypted:	false
SSDEEP:	3:GHlhVss2abmC//dlhVss2abmCUlwl8a9//Ylll4llqlyllel4lt:G7VssIC//hVssIC8QL9XIwlio
MD5:	7959C5FB43B752E3FF038B774EB81CA7
SHA1:	CBC5AD630B40BFDF4F3C51874B04C87FA9D0BCF0
SHA-256:	F758FF69D22925F93F28B906A15C808818E653867B8DC2771B360A51BBE3744C
SHA-512:	7C8324737579CD4FCAEBED58C521F935265755206813112145234A6A1F4FA60D80C66BB3DEC5E4494047DB9AFCBB51E5CAC91924097FAA4F4E04058DC16DE005
Malicious:	false
Preview:	..-..........................6.\|..V}Fy,:.#{.8.g...-..........................6.\|..V}Fy,:.#{.8.g.........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11460779134036102
Encrypted:	false
SSDEEP:	24:Ky4/iGfkALxsZ+XxsMl+4UC0yWUCiYCCQE/5SKCwCfxsawDwljWVZ2i7+:LQLMUQ6JxHWsYSHVw05EZk
MD5:	1DDBA9B752C8921ADBE96B22AA2825CA
SHA1:	4D082BC0930A9F5AF0B8826F0EBF6243E01D53D2
SHA-256:	E5DE6439710259F8843336E8AEB48A5843970FF37C5079C0E21C3F779635E61E
SHA-512:	D1BD886A796D05C08968075CFA771C4DF7081C10BCC2A0E981ADADE713744232AE94A2F49ECAD7B5FBC5D537CFE85844B6BD72D0C36C3619BBAF71C22BBE6809
Malicious:	false
Preview:	7....-............V}Fy,:S...E.............V}Fy,:.r...l'................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.478733388254045
Encrypted:	false
SSDEEP:	192:lOnSRkyYbBp6PqUCaXW6VXXNjk5RHNBw8dnnSl:JeQqUVZ9IPw00
MD5:	18054754CBA4F542BAB3D54AF7971E30
SHA1:	B578A8F13FFD2F0FF2C2C546D4FF02FDA281892D
SHA-256:	587F56F6C17194284E2A13E64B389FBAE60F09A818AAEACB9CFD788DD99ED7EE
SHA-512:	41673E4BF9E3C840067C20A99F4E811B648F82BF173798BC60E177E6AE154A6BE94FB8C4B6E982807ABAB1EAE6033990F9B503CB41139AFE6863651A2C7739DE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734087525);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734087525);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734087525);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173408

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.478733388254045
Encrypted:	false
SSDEEP:	192:lOnSRkyYbBp6PqUCaXW6VXXNjk5RHNBw8dnnSl:JeQqUVZ9IPw00
MD5:	18054754CBA4F542BAB3D54AF7971E30
SHA1:	B578A8F13FFD2F0FF2C2C546D4FF02FDA281892D
SHA-256:	587F56F6C17194284E2A13E64B389FBAE60F09A818AAEACB9CFD788DD99ED7EE
SHA-512:	41673E4BF9E3C840067C20A99F4E811B648F82BF173798BC60E177E6AE154A6BE94FB8C4B6E982807ABAB1EAE6033990F9B503CB41139AFE6863651A2C7739DE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734087525);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734087525);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734087525);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173408

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.331578994881688
Encrypted:	false
SSDEEP:	24:v+USUGlcAxScEkLXnIgG/pnxQwRlszT5sKhi0v3eHVVPNZTVamhuj3pOOcUb2mi7:GUpOxNGnR6J3etZTV45edHd
MD5:	2C23FB0D901E3C54A3D1914138C5EF74
SHA1:	401B7D7BC454468CE88DA9A0036F13685ABC479F
SHA-256:	0F4A2EC55A52C2614ED9897726DF6AA697472CEE1CD877040785C4B444A6FE7B
SHA-512:	E833FE30DB3CBD1C57573F422DE329985B8B0607A0D26C0805E26FB34AC7BB68AADF8BD72AADB06A457AE7F5949E01CEFF7B8BE3268F29DA498B4FD793F744CA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{e81b21e5-8843-447f-be18-afc01551a8a1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734087532711,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate...2,"startTim..`494370...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...01356,"originA..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.331578994881688
Encrypted:	false
SSDEEP:	24:v+USUGlcAxScEkLXnIgG/pnxQwRlszT5sKhi0v3eHVVPNZTVamhuj3pOOcUb2mi7:GUpOxNGnR6J3etZTV45edHd
MD5:	2C23FB0D901E3C54A3D1914138C5EF74
SHA1:	401B7D7BC454468CE88DA9A0036F13685ABC479F
SHA-256:	0F4A2EC55A52C2614ED9897726DF6AA697472CEE1CD877040785C4B444A6FE7B
SHA-512:	E833FE30DB3CBD1C57573F422DE329985B8B0607A0D26C0805E26FB34AC7BB68AADF8BD72AADB06A457AE7F5949E01CEFF7B8BE3268F29DA498B4FD793F744CA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{e81b21e5-8843-447f-be18-afc01551a8a1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734087532711,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate...2,"startTim..`494370...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...01356,"originA..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.331578994881688
Encrypted:	false
SSDEEP:	24:v+USUGlcAxScEkLXnIgG/pnxQwRlszT5sKhi0v3eHVVPNZTVamhuj3pOOcUb2mi7:GUpOxNGnR6J3etZTV45edHd
MD5:	2C23FB0D901E3C54A3D1914138C5EF74
SHA1:	401B7D7BC454468CE88DA9A0036F13685ABC479F
SHA-256:	0F4A2EC55A52C2614ED9897726DF6AA697472CEE1CD877040785C4B444A6FE7B
SHA-512:	E833FE30DB3CBD1C57573F422DE329985B8B0607A0D26C0805E26FB34AC7BB68AADF8BD72AADB06A457AE7F5949E01CEFF7B8BE3268F29DA498B4FD793F744CA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{e81b21e5-8843-447f-be18-afc01551a8a1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734087532711,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate...2,"startTim..`494370...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...01356,"originA..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.037084012014535
Encrypted:	false
SSDEEP:	48:YrSAYAeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:ycA+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	038515192A84B645BACEEDDD644CA8AE
SHA1:	F9A1E0D783D9731D9E204A6B8572DB629BDA6AE2
SHA-256:	33D1C6B81BA703F8F3C82AE7366BEB4EFF538E34DE0592A98EA323AB27385D39
SHA-512:	5C16E711DE6161D95394F9104AF91D4D0D5BFF31BC617AB317CEAADC372E12FF6476D0B9BBC8E8364BF5C985CFAD7958222244BF812AD80C571A4F2A2FBCB721
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T10:58:30.364Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.037084012014535
Encrypted:	false
SSDEEP:	48:YrSAYAeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:ycA+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	038515192A84B645BACEEDDD644CA8AE
SHA1:	F9A1E0D783D9731D9E204A6B8572DB629BDA6AE2
SHA-256:	33D1C6B81BA703F8F3C82AE7366BEB4EFF538E34DE0592A98EA323AB27385D39
SHA-512:	5C16E711DE6161D95394F9104AF91D4D0D5BFF31BC617AB317CEAADC372E12FF6476D0B9BBC8E8364BF5C985CFAD7958222244BF812AD80C571A4F2A2FBCB721
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T10:58:30.364Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.694619276363792
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	966'656 bytes
MD5:	9b55afc1ca0156a623d6c797cf48ea06
SHA1:	4ba883db2fc00f0ef478ba431904c67b9660a03b
SHA256:	835b3cbdb1fd7a062e79fe9146a6b46aa1fb12d8f408fef57672109f64b1acbe
SHA512:	6b25760b075f8425abdadb054eab3c33a60e573bc57048bc9bde426bb2513f50fe20697770194539a237af10a6929f8abcd5b6150e78f1c77e1da60d8033069c
SSDEEP:	12288:iqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaZlfwq:iqDEvCTbMWu7rQYlBQcBiT6rprG8a7/
TLSH:	6C259E0273D1C062FFAB92334B5AF6515BBC69260123E61F13A81DB9BD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675BFF29 [Fri Dec 13 09:32:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F9480ECF423h
jmp 00007F9480ECED2Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9480ECEF0Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9480ECEEDAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F9480ED1ACDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F9480ED1B18h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F9480ED1B01h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x154c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x154c4	0x15600	deda9cb99c0950c85c327f7513382747	False	0.688733552631579	data	7.123905023226813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xc646	data			1.000512234524607
RT_GROUP_ICON	0xe8f44	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe8fbc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe8fd0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe8fe4	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe8ff8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe90d4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 10:56:24.915827036 CET	49722	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:24.915911913 CET	443	49722	35.190.72.216	192.168.2.7
Dec 13, 2024 10:56:24.916702986 CET	49722	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:24.921858072 CET	49722	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:24.921878099 CET	443	49722	35.190.72.216	192.168.2.7
Dec 13, 2024 10:56:25.622512102 CET	49728	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:25.622546911 CET	443	49728	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:25.623761892 CET	49728	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:25.625319004 CET	49728	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:25.625332117 CET	443	49728	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:25.738883972 CET	49729	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:25.738929033 CET	443	49729	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:25.740463018 CET	49729	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:25.742068052 CET	49729	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:25.742082119 CET	443	49729	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:25.898164034 CET	49730	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:26.019572020 CET	80	49730	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:26.019681931 CET	49730	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:26.019877911 CET	49730	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:26.140417099 CET	443	49722	35.190.72.216	192.168.2.7
Dec 13, 2024 10:56:26.140528917 CET	49722	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:26.140682936 CET	80	49730	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:26.174216032 CET	49722	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:26.174247026 CET	443	49722	35.190.72.216	192.168.2.7
Dec 13, 2024 10:56:26.174427986 CET	49722	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:26.174540043 CET	443	49722	35.190.72.216	192.168.2.7
Dec 13, 2024 10:56:26.178047895 CET	49722	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:26.221647024 CET	49731	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:26.221756935 CET	443	49731	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:26.222882986 CET	49731	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:26.222997904 CET	49731	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:26.223018885 CET	443	49731	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:26.685688972 CET	49732	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:26.685741901 CET	443	49732	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:26.690032005 CET	49732	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:26.696368933 CET	49732	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:26.696388960 CET	443	49732	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:27.106635094 CET	80	49730	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:27.134248018 CET	49734	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:27.134304047 CET	443	49734	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:27.135268927 CET	49734	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:27.136759043 CET	49734	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:27.136775970 CET	443	49734	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:27.141124964 CET	49730	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:27.261328936 CET	80	49730	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:27.261398077 CET	49730	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:27.333168030 CET	443	49728	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:27.333244085 CET	49728	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:27.334168911 CET	443	49728	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:27.334225893 CET	49728	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:27.436049938 CET	443	49729	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:27.436186075 CET	49729	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:27.436775923 CET	443	49729	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:27.436856031 CET	49729	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:27.443018913 CET	443	49731	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:27.443108082 CET	49731	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:27.544868946 CET	49731	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:27.544917107 CET	443	49731	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:27.545223951 CET	443	49731	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:27.545285940 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:27.545438051 CET	49736	443	192.168.2.7	34.160.144.191
Dec 13, 2024 10:56:27.545469999 CET	443	49736	34.160.144.191	192.168.2.7
Dec 13, 2024 10:56:27.547559977 CET	49728	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:27.547584057 CET	443	49728	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:27.547663927 CET	49728	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:27.547904015 CET	443	49728	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:27.550313950 CET	49729	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:27.550333023 CET	443	49729	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:27.550461054 CET	49729	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:27.550575018 CET	443	49729	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:27.550940990 CET	49737	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:27.550976038 CET	443	49737	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:27.552851915 CET	49728	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:27.552866936 CET	49729	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:27.552886963 CET	49736	443	192.168.2.7	34.160.144.191
Dec 13, 2024 10:56:27.552987099 CET	49737	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:27.556603909 CET	49736	443	192.168.2.7	34.160.144.191
Dec 13, 2024 10:56:27.556621075 CET	443	49736	34.160.144.191	192.168.2.7
Dec 13, 2024 10:56:27.557940960 CET	49737	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:27.557969093 CET	443	49737	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:27.558581114 CET	49731	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:27.558653116 CET	49731	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:27.558762074 CET	443	49731	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:27.558811903 CET	49731	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:27.587141991 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:27.665074110 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:27.665467978 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:27.665467978 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:27.706990004 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:27.707530022 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:27.710391998 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:27.785409927 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:27.830152988 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:27.917515039 CET	443	49732	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:27.917726994 CET	49732	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:27.925846100 CET	49732	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:27.925863028 CET	443	49732	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:27.925970078 CET	49732	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:27.926040888 CET	443	49732	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:27.926393032 CET	49732	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:27.926455021 CET	49744	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:27.926513910 CET	443	49744	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:27.926645994 CET	49744	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:27.928103924 CET	49744	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:27.928143024 CET	443	49744	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:28.363415956 CET	443	49734	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:28.364168882 CET	49734	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:28.370254993 CET	49734	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:28.370254993 CET	49734	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:28.370273113 CET	443	49734	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:28.370510101 CET	49745	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:28.370557070 CET	443	49745	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:28.370575905 CET	443	49734	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:28.370663881 CET	49745	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:28.370754957 CET	49734	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:28.372694016 CET	49745	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:28.372709036 CET	443	49745	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:28.752754927 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:28.774473906 CET	443	49736	34.160.144.191	192.168.2.7
Dec 13, 2024 10:56:28.774497032 CET	443	49736	34.160.144.191	192.168.2.7
Dec 13, 2024 10:56:28.777709961 CET	49736	443	192.168.2.7	34.160.144.191
Dec 13, 2024 10:56:28.782139063 CET	49736	443	192.168.2.7	34.160.144.191
Dec 13, 2024 10:56:28.782152891 CET	443	49736	34.160.144.191	192.168.2.7
Dec 13, 2024 10:56:28.782613039 CET	443	49736	34.160.144.191	192.168.2.7
Dec 13, 2024 10:56:28.784615040 CET	49736	443	192.168.2.7	34.160.144.191
Dec 13, 2024 10:56:28.784727097 CET	49736	443	192.168.2.7	34.160.144.191
Dec 13, 2024 10:56:28.784823895 CET	443	49736	34.160.144.191	192.168.2.7
Dec 13, 2024 10:56:28.785161972 CET	49736	443	192.168.2.7	34.160.144.191
Dec 13, 2024 10:56:28.785178900 CET	49736	443	192.168.2.7	34.160.144.191
Dec 13, 2024 10:56:28.796020031 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:28.809278965 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:28.850815058 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:28.893596888 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:28.894429922 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:29.013493061 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:29.014352083 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:29.042673111 CET	49748	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:29.042726040 CET	443	49748	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:29.043323040 CET	49748	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:29.050750017 CET	49748	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:29.050765991 CET	443	49748	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:29.055932045 CET	49749	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:29.055962086 CET	443	49749	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:29.063555002 CET	49749	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:29.063848972 CET	49749	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:29.063863039 CET	443	49749	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:29.112179995 CET	49750	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:29.112201929 CET	443	49750	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:29.112835884 CET	49750	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:29.114375114 CET	49750	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:29.114386082 CET	443	49750	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:29.124749899 CET	49751	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:29.124794006 CET	443	49751	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:29.126192093 CET	49751	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:29.128078938 CET	49751	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:29.128088951 CET	443	49751	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:29.149065971 CET	443	49744	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:29.153151989 CET	49744	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:29.158637047 CET	49744	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:29.158653021 CET	443	49744	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:29.158749104 CET	49744	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:29.158781052 CET	443	49744	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:29.159857988 CET	49744	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:29.208076954 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:29.208479881 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:29.212905884 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:29.250710964 CET	443	49737	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:29.251480103 CET	443	49737	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:29.251852989 CET	49737	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:29.251863956 CET	443	49737	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:29.256891012 CET	49737	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:29.256906033 CET	443	49737	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:29.257052898 CET	49737	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:29.257069111 CET	443	49737	142.250.181.110	192.168.2.7
Dec 13, 2024 10:56:29.266006947 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:29.266033888 CET	49737	443	192.168.2.7	142.250.181.110
Dec 13, 2024 10:56:29.272444963 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:29.333997011 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:29.393177986 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:29.527884007 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:29.571317911 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:29.589440107 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:29.599690914 CET	443	49745	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:29.602855921 CET	49745	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:29.641194105 CET	49745	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:29.641223907 CET	443	49745	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:29.641310930 CET	49745	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:29.641494989 CET	443	49745	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:29.642129898 CET	49745	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:29.656030893 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:30.275294065 CET	443	49748	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:30.275377989 CET	49748	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:30.279973030 CET	443	49749	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:30.279987097 CET	443	49749	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:30.280261040 CET	49749	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:30.280329943 CET	49748	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:30.280347109 CET	443	49748	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:30.280455112 CET	49748	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:30.280508041 CET	443	49748	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:30.283912897 CET	49749	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:30.283925056 CET	443	49749	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:30.283936977 CET	49748	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:30.284166098 CET	443	49749	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:30.286657095 CET	49749	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:30.286744118 CET	49749	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:30.286782026 CET	443	49749	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:30.286883116 CET	49749	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:30.345000982 CET	443	49750	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:30.345076084 CET	49750	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:30.363202095 CET	49750	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:30.363219023 CET	443	49750	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:30.363280058 CET	49750	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:30.364576101 CET	443	49750	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:30.364665031 CET	49750	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:30.368263960 CET	443	49751	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:30.368360043 CET	49751	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:30.373347044 CET	49751	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:30.373374939 CET	443	49751	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:30.373430014 CET	49751	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:30.373672009 CET	443	49751	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:30.373800993 CET	49751	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:32.754371881 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:32.782706022 CET	49764	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:32.782737970 CET	443	49764	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:32.790653944 CET	49764	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:32.792371988 CET	49764	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:32.792392969 CET	443	49764	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:32.798187017 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:32.874536037 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:32.918112040 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:32.938057899 CET	49765	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:32.938085079 CET	443	49765	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:32.938188076 CET	49765	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:32.939640045 CET	49765	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:32.939655066 CET	443	49765	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:33.069169044 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:33.113054037 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:33.123877048 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:33.161653042 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:34.019100904 CET	443	49764	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:34.019121885 CET	443	49764	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:34.019184113 CET	49764	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:34.023929119 CET	49764	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:34.023938894 CET	443	49764	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:34.024063110 CET	49764	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:34.024142027 CET	443	49764	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:34.024473906 CET	49767	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:34.024503946 CET	443	49767	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:34.024521112 CET	49764	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:34.024580002 CET	49767	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:34.025943041 CET	49767	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:34.025955915 CET	443	49767	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:34.148905993 CET	443	49765	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:34.148982048 CET	49765	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:34.153989077 CET	49765	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:34.154010057 CET	443	49765	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:34.154088020 CET	49765	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:34.154170990 CET	443	49765	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:34.154227018 CET	49765	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:35.246237040 CET	443	49767	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:35.246371031 CET	49767	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:35.251265049 CET	49767	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:35.251276970 CET	443	49767	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:35.251420021 CET	49767	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:35.251468897 CET	443	49767	34.117.188.166	192.168.2.7
Dec 13, 2024 10:56:35.251578093 CET	49767	443	192.168.2.7	34.117.188.166
Dec 13, 2024 10:56:36.675249100 CET	49779	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:36.675352097 CET	443	49779	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:36.675690889 CET	49780	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:36.675733089 CET	443	49780	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:36.676331043 CET	49779	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:36.676515102 CET	49780	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:36.677705050 CET	49779	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:36.677741051 CET	443	49779	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:36.678380013 CET	49780	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:36.678395033 CET	443	49780	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:36.822655916 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:36.942374945 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:37.137631893 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:37.182765007 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:37.563812971 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:37.567029953 CET	49781	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:37.567073107 CET	443	49781	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:37.568195105 CET	49781	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:37.569874048 CET	49781	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:37.569895983 CET	443	49781	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:37.683758020 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:37.878398895 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:37.889352083 CET	443	49779	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:37.889436960 CET	49779	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:37.889763117 CET	443	49780	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:37.889828920 CET	49780	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:37.894371033 CET	49780	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:37.894385099 CET	443	49780	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:37.894741058 CET	443	49780	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:37.916050911 CET	49779	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:37.916104078 CET	443	49779	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:37.916198969 CET	49779	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:37.916215897 CET	49780	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:37.916311979 CET	49780	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:37.916604996 CET	443	49779	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:37.916659117 CET	443	49780	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:37.916685104 CET	49782	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:37.916723013 CET	443	49782	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:37.916771889 CET	49779	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:37.916779041 CET	49780	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:37.917563915 CET	49782	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:37.917970896 CET	49782	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:37.917984962 CET	443	49782	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:37.922605991 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:38.787903070 CET	443	49781	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:38.787992001 CET	49781	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:39.059006929 CET	49781	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:39.059037924 CET	443	49781	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:39.059077978 CET	49781	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:39.059828997 CET	443	49781	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:39.059998989 CET	49781	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:39.131856918 CET	443	49782	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:39.132169008 CET	49782	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:40.418597937 CET	49782	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:40.418648958 CET	443	49782	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:40.419706106 CET	443	49782	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:40.421129942 CET	49782	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:40.421242952 CET	49782	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:40.421583891 CET	443	49782	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:40.421972036 CET	49782	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:40.487541914 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:40.608753920 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:40.802681923 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:40.846690893 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:41.164747953 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:41.287893057 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:41.485447884 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:41.533135891 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:41.701951981 CET	49793	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:41.701991081 CET	443	49793	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:41.703737020 CET	49793	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:41.705180883 CET	49793	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:41.705200911 CET	443	49793	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:41.713519096 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:41.833425999 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:42.030039072 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:42.081593037 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:42.518280983 CET	49796	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:42.518325090 CET	443	49796	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:42.518661022 CET	49795	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:42.518727064 CET	443	49795	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:42.518802881 CET	49794	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:42.518831968 CET	443	49794	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:42.520159960 CET	49796	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:42.520229101 CET	49795	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:42.520231009 CET	49794	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:42.520360947 CET	49796	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:42.520380020 CET	443	49796	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:42.520642996 CET	49795	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:42.520647049 CET	49794	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:42.520658016 CET	443	49795	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:42.520661116 CET	443	49794	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:42.609076023 CET	49797	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:42.609129906 CET	443	49797	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:42.611031055 CET	49797	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:42.880739927 CET	49797	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:42.880762100 CET	443	49797	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:42.881354094 CET	49798	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:42.881397963 CET	443	49798	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:42.882699013 CET	49798	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:42.882781982 CET	49798	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:42.882791042 CET	443	49798	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:42.916599035 CET	443	49793	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:42.916682959 CET	49793	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:43.735873938 CET	443	49794	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:43.735956907 CET	49794	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:43.737494946 CET	443	49795	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:43.737579107 CET	49795	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:43.740827084 CET	443	49796	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:43.744991064 CET	49796	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.101072073 CET	443	49798	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:44.101197958 CET	49798	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:44.107299089 CET	443	49797	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.107409954 CET	49797	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.944015026 CET	49794	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.944032907 CET	443	49794	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.944509029 CET	443	49794	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.947866917 CET	49795	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.947890997 CET	443	49795	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.948216915 CET	443	49795	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.950136900 CET	49796	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.950160980 CET	443	49796	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.950565100 CET	443	49796	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.953799009 CET	49798	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:44.953841925 CET	443	49798	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:44.954108953 CET	443	49798	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:44.959925890 CET	49793	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:44.959940910 CET	443	49793	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:44.960200071 CET	443	49793	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:44.960767984 CET	49793	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:44.960781097 CET	443	49793	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:44.963103056 CET	49795	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.963285923 CET	443	49795	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.963466883 CET	49795	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.963478088 CET	443	49795	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.963491917 CET	49794	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.963517904 CET	49796	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.963637114 CET	49796	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.963704109 CET	443	49794	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.963716984 CET	443	49796	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.963908911 CET	49796	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.963936090 CET	49793	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:44.963936090 CET	49794	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.964420080 CET	49794	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.964430094 CET	443	49794	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.964720964 CET	49797	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.964756012 CET	443	49797	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.964793921 CET	49797	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.965188026 CET	443	49797	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.966547966 CET	49798	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:44.966639996 CET	49798	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:44.966696024 CET	443	49798	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:44.968005896 CET	49797	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.968025923 CET	49798	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:44.969583988 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:44.974710941 CET	49804	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.974776030 CET	443	49804	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.975831032 CET	49804	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.977247000 CET	49804	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.977277994 CET	443	49804	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.979197979 CET	49805	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.979248047 CET	443	49805	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:44.980206966 CET	49805	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.980357885 CET	49805	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:44.980379105 CET	443	49805	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:45.090270996 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:45.167337894 CET	443	49795	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:45.167484045 CET	49795	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:45.287169933 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:45.290602922 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:45.344331980 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:45.415437937 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:45.605163097 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:45.645097017 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:46.190097094 CET	443	49804	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:46.190202951 CET	49804	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:46.194892883 CET	49804	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:46.194926977 CET	443	49804	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:46.194993019 CET	49804	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:46.195090055 CET	443	49804	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:46.195740938 CET	49804	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:46.197626114 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:46.198170900 CET	443	49805	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:46.198628902 CET	49805	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:46.201433897 CET	49805	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:46.201452017 CET	443	49805	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:46.201756001 CET	443	49805	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:46.202275038 CET	49811	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:46.202327013 CET	443	49811	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:46.202538013 CET	49811	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:46.204036951 CET	49811	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:46.204056025 CET	443	49811	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:46.205976963 CET	49805	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:46.206077099 CET	49805	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:46.206125021 CET	443	49805	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:46.206387043 CET	49805	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:46.317428112 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:46.511991024 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:46.515279055 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:46.563309908 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:46.635169983 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:46.831257105 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:46.883373976 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:47.422966003 CET	443	49811	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:47.423064947 CET	49811	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:47.428617001 CET	49811	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:47.428658009 CET	443	49811	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:47.428755045 CET	49811	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:47.428920031 CET	443	49811	34.120.208.123	192.168.2.7
Dec 13, 2024 10:56:47.430126905 CET	49811	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:56:47.432023048 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:47.552126884 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:47.752801895 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:47.756593943 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:47.804656982 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:47.876471996 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:48.071665049 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:48.121170998 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:51.827341080 CET	49827	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:51.827375889 CET	443	49827	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:51.829247952 CET	49827	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:51.829402924 CET	49827	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:51.829411983 CET	443	49827	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:51.840080023 CET	49828	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:51.840178967 CET	443	49828	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:51.840378046 CET	49828	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:51.840562105 CET	49828	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:51.840599060 CET	443	49828	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:51.941950083 CET	49829	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:51.942007065 CET	443	49829	35.190.72.216	192.168.2.7
Dec 13, 2024 10:56:51.949523926 CET	49829	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:51.951134920 CET	49829	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:51.951179981 CET	443	49829	35.190.72.216	192.168.2.7
Dec 13, 2024 10:56:52.075427055 CET	49830	443	192.168.2.7	151.101.129.91
Dec 13, 2024 10:56:52.075544119 CET	443	49830	151.101.129.91	192.168.2.7
Dec 13, 2024 10:56:52.075844049 CET	49830	443	192.168.2.7	151.101.129.91
Dec 13, 2024 10:56:52.075959921 CET	49830	443	192.168.2.7	151.101.129.91
Dec 13, 2024 10:56:52.075983047 CET	443	49830	151.101.129.91	192.168.2.7
Dec 13, 2024 10:56:52.083919048 CET	49831	443	192.168.2.7	35.201.103.21
Dec 13, 2024 10:56:52.083960056 CET	443	49831	35.201.103.21	192.168.2.7
Dec 13, 2024 10:56:52.084187031 CET	49831	443	192.168.2.7	35.201.103.21
Dec 13, 2024 10:56:52.085585117 CET	49831	443	192.168.2.7	35.201.103.21
Dec 13, 2024 10:56:52.085602999 CET	443	49831	35.201.103.21	192.168.2.7
Dec 13, 2024 10:56:53.048062086 CET	443	49827	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:53.048146009 CET	49827	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.051553011 CET	49827	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.051559925 CET	443	49827	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:53.051956892 CET	443	49827	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:53.054430962 CET	49827	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.054546118 CET	49827	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.054617882 CET	443	49827	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:53.054740906 CET	49827	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.057029009 CET	443	49828	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:53.057126999 CET	49828	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:53.060261965 CET	49828	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:53.060278893 CET	443	49828	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:53.060667038 CET	443	49828	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:53.062195063 CET	49828	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:53.062293053 CET	49828	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:53.062403917 CET	443	49828	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:53.062768936 CET	49828	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:53.062768936 CET	49828	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:53.063658953 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:53.170485973 CET	443	49829	35.190.72.216	192.168.2.7
Dec 13, 2024 10:56:53.170505047 CET	443	49829	35.190.72.216	192.168.2.7
Dec 13, 2024 10:56:53.170731068 CET	49829	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:53.175410986 CET	49829	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:53.175442934 CET	443	49829	35.190.72.216	192.168.2.7
Dec 13, 2024 10:56:53.175484896 CET	49829	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:53.175755024 CET	443	49829	35.190.72.216	192.168.2.7
Dec 13, 2024 10:56:53.175854921 CET	49829	443	192.168.2.7	35.190.72.216
Dec 13, 2024 10:56:53.183398008 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:53.304209948 CET	443	49830	151.101.129.91	192.168.2.7
Dec 13, 2024 10:56:53.304299116 CET	49830	443	192.168.2.7	151.101.129.91
Dec 13, 2024 10:56:53.307996988 CET	49830	443	192.168.2.7	151.101.129.91
Dec 13, 2024 10:56:53.308008909 CET	443	49830	151.101.129.91	192.168.2.7
Dec 13, 2024 10:56:53.308402061 CET	443	49830	151.101.129.91	192.168.2.7
Dec 13, 2024 10:56:53.311187029 CET	49830	443	192.168.2.7	151.101.129.91
Dec 13, 2024 10:56:53.311307907 CET	49830	443	192.168.2.7	151.101.129.91
Dec 13, 2024 10:56:53.311419010 CET	443	49831	35.201.103.21	192.168.2.7
Dec 13, 2024 10:56:53.311479092 CET	443	49830	151.101.129.91	192.168.2.7
Dec 13, 2024 10:56:53.311526060 CET	49831	443	192.168.2.7	35.201.103.21
Dec 13, 2024 10:56:53.315537930 CET	49831	443	192.168.2.7	35.201.103.21
Dec 13, 2024 10:56:53.315545082 CET	443	49831	35.201.103.21	192.168.2.7
Dec 13, 2024 10:56:53.315607071 CET	49831	443	192.168.2.7	35.201.103.21
Dec 13, 2024 10:56:53.315808058 CET	443	49831	35.201.103.21	192.168.2.7
Dec 13, 2024 10:56:53.316669941 CET	49830	443	192.168.2.7	151.101.129.91
Dec 13, 2024 10:56:53.316684008 CET	49831	443	192.168.2.7	35.201.103.21
Dec 13, 2024 10:56:53.320805073 CET	49832	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.320861101 CET	443	49832	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:53.321150064 CET	49832	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.321294069 CET	49832	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.321306944 CET	443	49832	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:53.323409081 CET	49833	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.323446035 CET	443	49833	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:53.323792934 CET	49833	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.323889971 CET	49833	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.323900938 CET	443	49833	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:53.325989008 CET	49834	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.326004028 CET	443	49834	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:53.326086998 CET	49834	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.326181889 CET	49834	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:53.326191902 CET	443	49834	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:53.327778101 CET	49835	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:53.327802896 CET	443	49835	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:53.327905893 CET	49835	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:53.328069925 CET	49835	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:53.328079939 CET	443	49835	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:53.380008936 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:53.383527040 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:53.421000004 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:53.503561974 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:53.697928905 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:53.759694099 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:54.537036896 CET	443	49833	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.537139893 CET	49833	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.540139914 CET	49833	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.540150881 CET	443	49833	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.540498018 CET	443	49833	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.541825056 CET	443	49832	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.541924953 CET	49832	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.544095039 CET	49832	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.544106960 CET	443	49832	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.545094013 CET	443	49832	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.545383930 CET	49833	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.545571089 CET	443	49833	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.545607090 CET	49833	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.545614958 CET	443	49833	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.545692921 CET	443	49834	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.546734095 CET	443	49835	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:54.547501087 CET	49832	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.547570944 CET	49832	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.547976017 CET	443	49832	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.548413038 CET	49832	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.548437119 CET	49834	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.548437119 CET	49835	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:54.551070929 CET	49834	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.551078081 CET	443	49834	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.551379919 CET	443	49834	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.553705931 CET	49835	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:54.553734064 CET	443	49835	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:54.554120064 CET	443	49835	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:54.556452990 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:54.558094025 CET	49834	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.558181047 CET	49834	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.558322906 CET	443	49834	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.558578014 CET	49835	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:54.558614969 CET	49835	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:54.558830023 CET	443	49835	34.149.100.209	192.168.2.7
Dec 13, 2024 10:56:54.559628963 CET	49834	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.559643984 CET	49835	443	192.168.2.7	34.149.100.209
Dec 13, 2024 10:56:54.676115990 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:54.755341053 CET	443	49833	35.244.181.201	192.168.2.7
Dec 13, 2024 10:56:54.755413055 CET	49833	443	192.168.2.7	35.244.181.201
Dec 13, 2024 10:56:54.870786905 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:54.873889923 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:54.925393105 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:54.993637085 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:55.188147068 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:55.207786083 CET	49841	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:55.207822084 CET	443	49841	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:55.208318949 CET	49841	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:55.209743977 CET	49841	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:55.209755898 CET	443	49841	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:55.241930962 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:56.425467014 CET	443	49841	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:56.425555944 CET	49841	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:56.430928946 CET	49841	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:56.430942059 CET	443	49841	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:56.431052923 CET	49841	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:56.431092024 CET	443	49841	34.107.243.93	192.168.2.7
Dec 13, 2024 10:56:56.431159019 CET	49841	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:56:56.434046030 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:56.553996086 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:56.754945040 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:56.758738995 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:56.799829006 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:56:56.878763914 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:57.407737970 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:57.445297956 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:56:57.446881056 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:06.764664888 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:06.884484053 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:07.419903040 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:07.541888952 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:16.894220114 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:17.014044046 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:17.131052017 CET	49893	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:17.131091118 CET	443	49893	34.107.243.93	192.168.2.7
Dec 13, 2024 10:57:17.131284952 CET	49893	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:17.132854939 CET	49893	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:17.132873058 CET	443	49893	34.107.243.93	192.168.2.7
Dec 13, 2024 10:57:17.564970970 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:17.685132027 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:18.366065979 CET	443	49893	34.107.243.93	192.168.2.7
Dec 13, 2024 10:57:18.366174936 CET	49893	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:18.370641947 CET	49893	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:18.370652914 CET	443	49893	34.107.243.93	192.168.2.7
Dec 13, 2024 10:57:18.370769978 CET	49893	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:18.370815992 CET	443	49893	34.107.243.93	192.168.2.7
Dec 13, 2024 10:57:18.371017933 CET	49893	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:18.375224113 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:18.495254993 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:18.692403078 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:18.697978020 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:18.753382921 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:18.818996906 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:19.012578964 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:19.054269075 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:22.678559065 CET	49908	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.678580999 CET	443	49908	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:22.678697109 CET	49909	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.678723097 CET	443	49909	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:22.678838015 CET	49910	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.678845882 CET	443	49910	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:22.678921938 CET	49911	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.678930998 CET	443	49911	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:22.679029942 CET	49912	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679070950 CET	443	49912	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:22.679133892 CET	49913	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679172993 CET	443	49913	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:22.679238081 CET	49908	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679260015 CET	49909	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679280996 CET	49912	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679282904 CET	49911	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679285049 CET	49910	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679342031 CET	49913	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679462910 CET	49908	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679476023 CET	443	49908	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:22.679594994 CET	49913	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679610014 CET	443	49913	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:22.679645061 CET	49912	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679657936 CET	443	49912	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:22.679721117 CET	49911	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679735899 CET	443	49911	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:22.679780006 CET	49910	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679790020 CET	443	49910	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:22.679836988 CET	49909	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:22.679846048 CET	443	49909	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.899960995 CET	443	49912	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.900048018 CET	49912	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.901966095 CET	443	49913	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.902035952 CET	49913	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.902328968 CET	443	49908	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.902412891 CET	49908	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.902738094 CET	443	49910	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.902805090 CET	49910	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.903007984 CET	443	49909	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.903079033 CET	49909	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.903553963 CET	49912	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.903563023 CET	443	49912	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.903856039 CET	443	49912	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.904553890 CET	443	49911	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.906244040 CET	49913	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.906265020 CET	443	49913	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.906464100 CET	49911	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.906510115 CET	443	49913	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.908607006 CET	49910	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.908629894 CET	443	49910	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.908847094 CET	443	49910	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.910948038 CET	49909	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.910964012 CET	443	49909	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.911195993 CET	443	49909	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.913393021 CET	49908	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.913419962 CET	443	49908	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.913661003 CET	443	49908	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.916724920 CET	49911	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.916745901 CET	443	49911	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.917043924 CET	443	49911	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.922543049 CET	49912	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.922796011 CET	443	49912	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.922877073 CET	49912	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.922889948 CET	443	49912	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.923187017 CET	49913	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.923301935 CET	49913	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.923657894 CET	443	49913	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.923741102 CET	49917	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.923778057 CET	443	49917	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.923911095 CET	49918	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.923949003 CET	443	49918	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.924068928 CET	49910	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.924151897 CET	49910	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.924485922 CET	443	49910	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.924556017 CET	49909	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.924588919 CET	49909	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.924791098 CET	443	49909	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.925194979 CET	49908	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.925277948 CET	49908	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.925374031 CET	443	49908	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.927977085 CET	49911	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.928070068 CET	49911	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.928455114 CET	443	49911	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.929706097 CET	49913	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.929725885 CET	49912	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.929780006 CET	49910	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.929786921 CET	49909	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.929812908 CET	49917	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.929825068 CET	49918	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.929847956 CET	49908	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.930037975 CET	49917	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.930057049 CET	443	49917	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.930169106 CET	49918	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.930181026 CET	443	49918	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:23.930473089 CET	49911	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:23.932229996 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:24.052787066 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:24.248644114 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:24.252266884 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:24.300724030 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:24.372325897 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:24.566792011 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:24.617317915 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:25.145276070 CET	443	49918	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:25.145371914 CET	49918	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:25.146028996 CET	443	49917	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:25.148535967 CET	49918	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:25.148555040 CET	443	49918	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:25.148860931 CET	443	49918	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:25.148996115 CET	49917	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:25.151653051 CET	49917	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:25.151659012 CET	443	49917	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:25.151912928 CET	443	49917	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:25.154275894 CET	49918	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:25.154428005 CET	443	49918	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:25.154445887 CET	49918	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:25.154458046 CET	443	49918	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:25.155303955 CET	49917	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:25.155399084 CET	49917	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:25.155477047 CET	443	49917	34.120.208.123	192.168.2.7
Dec 13, 2024 10:57:25.156085968 CET	49917	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:25.156097889 CET	49918	443	192.168.2.7	34.120.208.123
Dec 13, 2024 10:57:25.157808065 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:25.277576923 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:25.472532034 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:25.476268053 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:25.519989014 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:25.596234083 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:25.790882111 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:25.836574078 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:31.233570099 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:31.353535891 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:31.548295021 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:31.552139044 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:31.589433908 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:31.672044992 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:31.867896080 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:31.921592951 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:41.549041986 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:41.671260118 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:41.881221056 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:42.001121044 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:51.677323103 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:51.797054052 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:52.009203911 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:52.128904104 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:57:58.625009060 CET	50000	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:58.625040054 CET	443	50000	34.107.243.93	192.168.2.7
Dec 13, 2024 10:57:58.628667116 CET	50000	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:58.630348921 CET	50000	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:58.630362034 CET	443	50000	34.107.243.93	192.168.2.7
Dec 13, 2024 10:57:59.844221115 CET	443	50000	34.107.243.93	192.168.2.7
Dec 13, 2024 10:57:59.844372034 CET	50000	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:59.850428104 CET	50000	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:59.850440025 CET	443	50000	34.107.243.93	192.168.2.7
Dec 13, 2024 10:57:59.850557089 CET	50000	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:59.850636005 CET	443	50000	34.107.243.93	192.168.2.7
Dec 13, 2024 10:57:59.854098082 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:57:59.854568958 CET	50000	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:57:59.973965883 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:58:00.168554068 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:58:00.173393965 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:58:00.218081951 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:58:00.293519974 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:58:00.487938881 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:58:00.550081015 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:58:10.178050995 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:58:10.297858000 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:58:10.501092911 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:58:10.620774031 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:58:20.307841063 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:58:20.427840948 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:58:20.633898020 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:58:20.753999949 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:58:30.435439110 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:58:30.555466890 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:58:30.758569956 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:58:30.878550053 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:58:40.565284967 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:58:40.685275078 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:58:40.888230085 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:58:41.008003950 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:58:50.693926096 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:58:50.813849926 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:58:51.017050982 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:58:51.138139009 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:59:00.822339058 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:59:00.943063974 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:59:01.145307064 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:59:01.265170097 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:59:10.951776028 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:59:11.071749926 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:59:11.274522066 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:59:11.394741058 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:59:20.161127090 CET	50035	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:59:20.161185026 CET	443	50035	34.107.243.93	192.168.2.7
Dec 13, 2024 10:59:20.161261082 CET	50035	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:59:20.163001060 CET	50035	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:59:20.163019896 CET	443	50035	34.107.243.93	192.168.2.7
Dec 13, 2024 10:59:21.081032991 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:59:21.201155901 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:59:21.375605106 CET	443	50035	34.107.243.93	192.168.2.7
Dec 13, 2024 10:59:21.381583929 CET	50035	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:59:21.385704041 CET	50035	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:59:21.385704041 CET	50035	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:59:21.385740042 CET	443	50035	34.107.243.93	192.168.2.7
Dec 13, 2024 10:59:21.385963917 CET	443	50035	34.107.243.93	192.168.2.7
Dec 13, 2024 10:59:21.388087988 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:59:21.388359070 CET	50035	443	192.168.2.7	34.107.243.93
Dec 13, 2024 10:59:21.397140980 CET	49735	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:59:21.508722067 CET	80	49738	34.107.221.82	192.168.2.7
Dec 13, 2024 10:59:21.508795977 CET	49738	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:59:21.516819000 CET	80	49735	34.107.221.82	192.168.2.7
Dec 13, 2024 10:59:21.534173965 CET	50036	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:59:21.654217005 CET	80	50036	34.107.221.82	192.168.2.7
Dec 13, 2024 10:59:21.654308081 CET	50036	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:59:21.654530048 CET	50036	80	192.168.2.7	34.107.221.82
Dec 13, 2024 10:59:21.774321079 CET	80	50036	34.107.221.82	192.168.2.7
Dec 13, 2024 10:59:22.743232012 CET	80	50036	34.107.221.82	192.168.2.7
Dec 13, 2024 10:59:22.785624981 CET	50036	80	192.168.2.7	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 10:56:24.916349888 CET	49582	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:25.054660082 CET	53	49582	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:25.057060003 CET	62708	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:25.293574095 CET	53	62708	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:25.477121115 CET	53095	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:25.477407932 CET	58463	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:25.617858887 CET	50071	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:25.621256113 CET	53	53095	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:25.624243975 CET	49536	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:25.755255938 CET	53	50071	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:25.759593964 CET	58213	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:25.761444092 CET	53	49536	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:25.762860060 CET	56670	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:25.897281885 CET	53	58213	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:25.900551081 CET	53	56670	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:26.222049952 CET	52502	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:26.365736008 CET	53	52502	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:26.401834965 CET	59614	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:26.490761042 CET	51729	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:26.539031029 CET	53	59614	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:26.630263090 CET	53	51729	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:26.683413029 CET	53140	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:26.686295033 CET	65013	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:26.821154118 CET	53	53140	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:26.824455023 CET	53	65013	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:26.825541973 CET	56349	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:26.962785006 CET	53	56349	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:27.134622097 CET	51300	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:27.155695915 CET	58343	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:27.201636076 CET	65511	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:27.204683065 CET	59160	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:27.272708893 CET	53	51300	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:27.273741007 CET	57318	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:27.280414104 CET	59838	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:27.293348074 CET	53	58343	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:27.339011908 CET	53	65511	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:27.413285017 CET	53	57318	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:27.419002056 CET	53	59838	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:27.539683104 CET	58374	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:27.677376986 CET	53	58374	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:27.678625107 CET	61554	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:27.907636881 CET	53	61554	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:28.496840954 CET	59663	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:28.620516062 CET	55036	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:28.757555008 CET	53	55036	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:28.787067890 CET	52275	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:28.904927015 CET	53884	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:28.924248934 CET	53	52275	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:28.947805882 CET	50499	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:29.042776108 CET	53	53884	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:29.047489882 CET	56955	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:29.084923029 CET	53	50499	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:29.126028061 CET	61325	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:29.184911966 CET	53	56955	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:29.236243963 CET	62517	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:29.266099930 CET	53	61325	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:29.282776117 CET	62175	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:29.374738932 CET	53	62517	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:29.420375109 CET	53	62175	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:29.453830004 CET	53	58959	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:32.780925989 CET	56621	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:32.919262886 CET	53	56621	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:32.920330048 CET	63683	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:33.063297987 CET	53	63683	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:33.064399958 CET	50089	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:33.203284979 CET	53	50089	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:36.678694010 CET	62682	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:36.681837082 CET	54465	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:36.682102919 CET	63009	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:36.816019058 CET	53	62682	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:36.817325115 CET	59146	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:36.819576025 CET	53	63009	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:36.820432901 CET	63775	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:36.822343111 CET	53	54465	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:36.822545052 CET	65338	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:36.829291105 CET	59755	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:36.954875946 CET	53	59146	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:36.955701113 CET	62918	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:36.958287954 CET	53	63775	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:36.958885908 CET	57144	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:36.966265917 CET	53	59755	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:36.966814995 CET	63011	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:37.095104933 CET	53	62918	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:37.096146107 CET	62199	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:37.112195015 CET	53	63011	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:37.112845898 CET	63962	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:37.190196991 CET	53	57144	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:37.233783007 CET	53	62199	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:37.234616995 CET	63686	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:37.251523018 CET	53	63962	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:37.252254963 CET	51529	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:37.389300108 CET	53	51529	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:37.393613100 CET	63844	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:37.439141989 CET	53	63686	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:37.440011024 CET	65412	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:37.535855055 CET	53	63844	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:37.568001032 CET	53392	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:37.656346083 CET	53	65412	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:37.707906008 CET	53	53392	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:39.101818085 CET	58665	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:40.417278051 CET	50993	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:41.705970049 CET	62705	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:41.843142986 CET	53	62705	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:42.519458055 CET	49646	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:42.657448053 CET	53	49646	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:51.827003956 CET	59098	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:51.837409019 CET	49829	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:51.943505049 CET	63004	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:51.964437962 CET	53	59098	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:52.074275017 CET	53	49829	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:52.075778961 CET	62189	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:52.083100080 CET	53	63004	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:52.084126949 CET	59131	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:52.214065075 CET	53	62189	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:52.214899063 CET	56599	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:52.222058058 CET	53	59131	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:52.222788095 CET	50933	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:52.353132010 CET	53	56599	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:52.360095978 CET	53	50933	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:55.068662882 CET	53131	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:55.206516027 CET	53	53131	1.1.1.1	192.168.2.7
Dec 13, 2024 10:56:55.207871914 CET	65463	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:56:55.345607042 CET	53	65463	1.1.1.1	192.168.2.7
Dec 13, 2024 10:57:17.131705999 CET	50487	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:57:17.270462990 CET	53	50487	1.1.1.1	192.168.2.7
Dec 13, 2024 10:57:22.682838917 CET	50185	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:57:22.820755005 CET	53	50185	1.1.1.1	192.168.2.7
Dec 13, 2024 10:57:58.470822096 CET	53701	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:57:58.607726097 CET	53	53701	1.1.1.1	192.168.2.7
Dec 13, 2024 10:57:58.625751019 CET	54228	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:57:58.764657021 CET	53	54228	1.1.1.1	192.168.2.7
Dec 13, 2024 10:57:59.854465008 CET	64391	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:59:19.866035938 CET	50680	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:59:20.003797054 CET	53	50680	1.1.1.1	192.168.2.7
Dec 13, 2024 10:59:20.005342007 CET	56364	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:59:20.159537077 CET	53	56364	1.1.1.1	192.168.2.7
Dec 13, 2024 10:59:20.160550117 CET	51182	53	192.168.2.7	1.1.1.1
Dec 13, 2024 10:59:20.298940897 CET	53	51182	1.1.1.1	192.168.2.7
Dec 13, 2024 10:59:21.388266087 CET	63949	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 10:56:24.916349888 CET	192.168.2.7	1.1.1.1	0x6125	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:25.057060003 CET	192.168.2.7	1.1.1.1	0xdccb	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:56:25.477121115 CET	192.168.2.7	1.1.1.1	0x74a2	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:25.477407932 CET	192.168.2.7	1.1.1.1	0xff06	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:25.617858887 CET	192.168.2.7	1.1.1.1	0x772f	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:25.624243975 CET	192.168.2.7	1.1.1.1	0xd68f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:25.759593964 CET	192.168.2.7	1.1.1.1	0x3c02	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:56:25.762860060 CET	192.168.2.7	1.1.1.1	0x3512	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 10:56:26.222049952 CET	192.168.2.7	1.1.1.1	0xbcfc	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:26.401834965 CET	192.168.2.7	1.1.1.1	0xc29b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:56:26.490761042 CET	192.168.2.7	1.1.1.1	0xb75f	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:26.683413029 CET	192.168.2.7	1.1.1.1	0x1885	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:26.686295033 CET	192.168.2.7	1.1.1.1	0x76f9	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:26.825541973 CET	192.168.2.7	1.1.1.1	0x73bd	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:56:27.134622097 CET	192.168.2.7	1.1.1.1	0x7baf	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.155695915 CET	192.168.2.7	1.1.1.1	0x5687	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.201636076 CET	192.168.2.7	1.1.1.1	0x345d	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.204683065 CET	192.168.2.7	1.1.1.1	0xfb2e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.273741007 CET	192.168.2.7	1.1.1.1	0x2243	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:56:27.280414104 CET	192.168.2.7	1.1.1.1	0x5d68	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.539683104 CET	192.168.2.7	1.1.1.1	0xdb6	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.678625107 CET	192.168.2.7	1.1.1.1	0x6af3	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:56:28.496840954 CET	192.168.2.7	1.1.1.1	0xa2fe	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:28.620516062 CET	192.168.2.7	1.1.1.1	0x7ce1	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:28.787067890 CET	192.168.2.7	1.1.1.1	0xcf2e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:28.904927015 CET	192.168.2.7	1.1.1.1	0xbff	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:28.947805882 CET	192.168.2.7	1.1.1.1	0xfc0c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:56:29.047489882 CET	192.168.2.7	1.1.1.1	0x2f89	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:29.126028061 CET	192.168.2.7	1.1.1.1	0x7199	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:29.236243963 CET	192.168.2.7	1.1.1.1	0x2c85	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:56:29.282776117 CET	192.168.2.7	1.1.1.1	0x7c07	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:56:32.780925989 CET	192.168.2.7	1.1.1.1	0x750e	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:32.920330048 CET	192.168.2.7	1.1.1.1	0x1815	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:33.064399958 CET	192.168.2.7	1.1.1.1	0xdb05	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:56:36.678694010 CET	192.168.2.7	1.1.1.1	0x2f8a	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.681837082 CET	192.168.2.7	1.1.1.1	0x2682	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.682102919 CET	192.168.2.7	1.1.1.1	0x73ea	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.817325115 CET	192.168.2.7	1.1.1.1	0x1372	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.820432901 CET	192.168.2.7	1.1.1.1	0x2000	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.822545052 CET	192.168.2.7	1.1.1.1	0x60eb	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.829291105 CET	192.168.2.7	1.1.1.1	0xfd8	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.955701113 CET	192.168.2.7	1.1.1.1	0xc0c2	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 10:56:36.958885908 CET	192.168.2.7	1.1.1.1	0x1f16	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 10:56:36.966814995 CET	192.168.2.7	1.1.1.1	0x138a	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 10:56:37.096146107 CET	192.168.2.7	1.1.1.1	0x1025	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.112845898 CET	192.168.2.7	1.1.1.1	0x5cc7	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.234616995 CET	192.168.2.7	1.1.1.1	0x1500	Standard query (0)	dualstack.reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.252254963 CET	192.168.2.7	1.1.1.1	0x5c2	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.393613100 CET	192.168.2.7	1.1.1.1	0xd62f	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 10:56:37.440011024 CET	192.168.2.7	1.1.1.1	0x8906	Standard query (0)	dualstack.reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 10:56:37.568001032 CET	192.168.2.7	1.1.1.1	0xec9a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:56:39.101818085 CET	192.168.2.7	1.1.1.1	0xb1b0	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:40.417278051 CET	192.168.2.7	1.1.1.1	0x8602	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:41.705970049 CET	192.168.2.7	1.1.1.1	0x5459	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:56:42.519458055 CET	192.168.2.7	1.1.1.1	0xc904	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:56:51.827003956 CET	192.168.2.7	1.1.1.1	0x2d0f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:56:51.837409019 CET	192.168.2.7	1.1.1.1	0xe953	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:51.943505049 CET	192.168.2.7	1.1.1.1	0xcebb	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.075778961 CET	192.168.2.7	1.1.1.1	0x64f0	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.084126949 CET	192.168.2.7	1.1.1.1	0x9e5a	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.214899063 CET	192.168.2.7	1.1.1.1	0x6c9a	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 10:56:52.222788095 CET	192.168.2.7	1.1.1.1	0xe406	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:56:55.068662882 CET	192.168.2.7	1.1.1.1	0x48ca	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:55.207871914 CET	192.168.2.7	1.1.1.1	0xc9a5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:57:17.131705999 CET	192.168.2.7	1.1.1.1	0xf2dd	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:57:22.682838917 CET	192.168.2.7	1.1.1.1	0x1b44	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:57:58.470822096 CET	192.168.2.7	1.1.1.1	0xe319	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:57:58.625751019 CET	192.168.2.7	1.1.1.1	0xcf1b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:57:59.854465008 CET	192.168.2.7	1.1.1.1	0x94ba	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:59:19.866035938 CET	192.168.2.7	1.1.1.1	0xe9b3	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:59:20.005342007 CET	192.168.2.7	1.1.1.1	0xd7bb	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:59:20.160550117 CET	192.168.2.7	1.1.1.1	0x194f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:59:21.388266087 CET	192.168.2.7	1.1.1.1	0xdd2a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 10:56:24.892236948 CET	1.1.1.1	192.168.2.7	0x990b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:25.054660082 CET	1.1.1.1	192.168.2.7	0x6125	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:25.616266012 CET	1.1.1.1	192.168.2.7	0xff06	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:25.616266012 CET	1.1.1.1	192.168.2.7	0xff06	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:25.621256113 CET	1.1.1.1	192.168.2.7	0x74a2	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:25.755255938 CET	1.1.1.1	192.168.2.7	0x772f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:25.761444092 CET	1.1.1.1	192.168.2.7	0xd68f	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:25.897281885 CET	1.1.1.1	192.168.2.7	0x3c02	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 10:56:25.900551081 CET	1.1.1.1	192.168.2.7	0x3512	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 10:56:26.219254017 CET	1.1.1.1	192.168.2.7	0x916c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:26.219254017 CET	1.1.1.1	192.168.2.7	0x916c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:26.365736008 CET	1.1.1.1	192.168.2.7	0xbcfc	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:26.630263090 CET	1.1.1.1	192.168.2.7	0xb75f	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:26.821154118 CET	1.1.1.1	192.168.2.7	0x1885	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:26.821154118 CET	1.1.1.1	192.168.2.7	0x1885	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:26.824455023 CET	1.1.1.1	192.168.2.7	0x76f9	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.272708893 CET	1.1.1.1	192.168.2.7	0x7baf	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.293348074 CET	1.1.1.1	192.168.2.7	0x5687	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.339011908 CET	1.1.1.1	192.168.2.7	0x345d	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.339011908 CET	1.1.1.1	192.168.2.7	0x345d	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.344770908 CET	1.1.1.1	192.168.2.7	0xfb2e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:27.344770908 CET	1.1.1.1	192.168.2.7	0xfb2e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.419002056 CET	1.1.1.1	192.168.2.7	0x5d68	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:27.419002056 CET	1.1.1.1	192.168.2.7	0x5d68	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:27.419002056 CET	1.1.1.1	192.168.2.7	0x5d68	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.677376986 CET	1.1.1.1	192.168.2.7	0xdb6	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:27.907636881 CET	1.1.1.1	192.168.2.7	0x6af3	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 10:56:28.757555008 CET	1.1.1.1	192.168.2.7	0x7ce1	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:28.924248934 CET	1.1.1.1	192.168.2.7	0xcf2e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:28.944546938 CET	1.1.1.1	192.168.2.7	0xa2fe	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:29.009149075 CET	1.1.1.1	192.168.2.7	0xb109	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:29.009149075 CET	1.1.1.1	192.168.2.7	0xb109	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:29.040875912 CET	1.1.1.1	192.168.2.7	0x2a12	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:29.042776108 CET	1.1.1.1	192.168.2.7	0xbff	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:29.042776108 CET	1.1.1.1	192.168.2.7	0xbff	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:29.184911966 CET	1.1.1.1	192.168.2.7	0x2f89	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:29.266099930 CET	1.1.1.1	192.168.2.7	0x7199	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:32.919262886 CET	1.1.1.1	192.168.2.7	0x750e	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:32.919262886 CET	1.1.1.1	192.168.2.7	0x750e	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:32.919262886 CET	1.1.1.1	192.168.2.7	0x750e	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:32.937098980 CET	1.1.1.1	192.168.2.7	0x333d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:33.063297987 CET	1.1.1.1	192.168.2.7	0x1815	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.816019058 CET	1.1.1.1	192.168.2.7	0x2f8a	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:36.816019058 CET	1.1.1.1	192.168.2.7	0x2f8a	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.816019058 CET	1.1.1.1	192.168.2.7	0x2f8a	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.816019058 CET	1.1.1.1	192.168.2.7	0x2f8a	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.816019058 CET	1.1.1.1	192.168.2.7	0x2f8a	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.816019058 CET	1.1.1.1	192.168.2.7	0x2f8a	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.816019058 CET	1.1.1.1	192.168.2.7	0x2f8a	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.816019058 CET	1.1.1.1	192.168.2.7	0x2f8a	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.816019058 CET	1.1.1.1	192.168.2.7	0x2f8a	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.816019058 CET	1.1.1.1	192.168.2.7	0x2f8a	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.819576025 CET	1.1.1.1	192.168.2.7	0x73ea	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:36.819576025 CET	1.1.1.1	192.168.2.7	0x73ea	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.822343111 CET	1.1.1.1	192.168.2.7	0x2682	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:36.822343111 CET	1.1.1.1	192.168.2.7	0x2682	No error (0)	star-mini.c10r.facebook.com		157.240.195.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.954875946 CET	1.1.1.1	192.168.2.7	0x1372	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.954875946 CET	1.1.1.1	192.168.2.7	0x1372	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.954875946 CET	1.1.1.1	192.168.2.7	0x1372	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.954875946 CET	1.1.1.1	192.168.2.7	0x1372	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.954875946 CET	1.1.1.1	192.168.2.7	0x1372	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.954875946 CET	1.1.1.1	192.168.2.7	0x1372	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.954875946 CET	1.1.1.1	192.168.2.7	0x1372	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.954875946 CET	1.1.1.1	192.168.2.7	0x1372	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.954875946 CET	1.1.1.1	192.168.2.7	0x1372	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.958287954 CET	1.1.1.1	192.168.2.7	0x2000	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.961042881 CET	1.1.1.1	192.168.2.7	0x60eb	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:36.961042881 CET	1.1.1.1	192.168.2.7	0x60eb	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:36.966265917 CET	1.1.1.1	192.168.2.7	0xfd8	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.095104933 CET	1.1.1.1	192.168.2.7	0xc0c2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 10:56:37.095104933 CET	1.1.1.1	192.168.2.7	0xc0c2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 10:56:37.095104933 CET	1.1.1.1	192.168.2.7	0xc0c2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 10:56:37.095104933 CET	1.1.1.1	192.168.2.7	0xc0c2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 10:56:37.112195015 CET	1.1.1.1	192.168.2.7	0x138a	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 10:56:37.190196991 CET	1.1.1.1	192.168.2.7	0x1f16	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 10:56:37.233783007 CET	1.1.1.1	192.168.2.7	0x1025	No error (0)	www.reddit.com	dualstack.reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:37.233783007 CET	1.1.1.1	192.168.2.7	0x1025	No error (0)	dualstack.reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.233783007 CET	1.1.1.1	192.168.2.7	0x1025	No error (0)	dualstack.reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.233783007 CET	1.1.1.1	192.168.2.7	0x1025	No error (0)	dualstack.reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.233783007 CET	1.1.1.1	192.168.2.7	0x1025	No error (0)	dualstack.reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.251523018 CET	1.1.1.1	192.168.2.7	0x5cc7	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.389300108 CET	1.1.1.1	192.168.2.7	0x5c2	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.439141989 CET	1.1.1.1	192.168.2.7	0x1500	No error (0)	dualstack.reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.439141989 CET	1.1.1.1	192.168.2.7	0x1500	No error (0)	dualstack.reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.439141989 CET	1.1.1.1	192.168.2.7	0x1500	No error (0)	dualstack.reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.439141989 CET	1.1.1.1	192.168.2.7	0x1500	No error (0)	dualstack.reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:37.656346083 CET	1.1.1.1	192.168.2.7	0x8906	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Dec 13, 2024 10:56:37.656346083 CET	1.1.1.1	192.168.2.7	0x8906	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Dec 13, 2024 10:56:37.656346083 CET	1.1.1.1	192.168.2.7	0x8906	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Dec 13, 2024 10:56:37.656346083 CET	1.1.1.1	192.168.2.7	0x8906	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Dec 13, 2024 10:56:39.326239109 CET	1.1.1.1	192.168.2.7	0xb1b0	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:39.326239109 CET	1.1.1.1	192.168.2.7	0xb1b0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:40.557097912 CET	1.1.1.1	192.168.2.7	0x8602	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:40.557097912 CET	1.1.1.1	192.168.2.7	0x8602	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.074275017 CET	1.1.1.1	192.168.2.7	0xe953	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.074275017 CET	1.1.1.1	192.168.2.7	0xe953	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.074275017 CET	1.1.1.1	192.168.2.7	0xe953	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.074275017 CET	1.1.1.1	192.168.2.7	0xe953	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.083100080 CET	1.1.1.1	192.168.2.7	0xcebb	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:52.083100080 CET	1.1.1.1	192.168.2.7	0xcebb	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.214065075 CET	1.1.1.1	192.168.2.7	0x64f0	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.214065075 CET	1.1.1.1	192.168.2.7	0x64f0	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.214065075 CET	1.1.1.1	192.168.2.7	0x64f0	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.214065075 CET	1.1.1.1	192.168.2.7	0x64f0	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.222058058 CET	1.1.1.1	192.168.2.7	0x9e5a	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:52.353132010 CET	1.1.1.1	192.168.2.7	0x6c9a	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 10:56:52.353132010 CET	1.1.1.1	192.168.2.7	0x6c9a	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 10:56:52.353132010 CET	1.1.1.1	192.168.2.7	0x6c9a	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 10:56:52.353132010 CET	1.1.1.1	192.168.2.7	0x6c9a	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 10:56:55.206516027 CET	1.1.1.1	192.168.2.7	0x48ca	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:56:55.250931025 CET	1.1.1.1	192.168.2.7	0x7c91	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:56:55.250931025 CET	1.1.1.1	192.168.2.7	0x7c91	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:57:22.669270039 CET	1.1.1.1	192.168.2.7	0xe2d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:57:58.607726097 CET	1.1.1.1	192.168.2.7	0xe319	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:57:59.991966009 CET	1.1.1.1	192.168.2.7	0x94ba	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:57:59.991966009 CET	1.1.1.1	192.168.2.7	0x94ba	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:59:20.003797054 CET	1.1.1.1	192.168.2.7	0xe9b3	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:59:20.159537077 CET	1.1.1.1	192.168.2.7	0xd7bb	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:59:21.532732010 CET	1.1.1.1	192.168.2.7	0xdd2a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:59:21.532732010 CET	1.1.1.1	192.168.2.7	0xdd2a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49730	34.107.221.82	80	8180	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 10:56:26.019877911 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:56:27.106635094 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 85621 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49735	34.107.221.82	80	8180	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 10:56:27.665467978 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:56:28.752754927 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85680 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:56:28.893596888 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:56:29.208076954 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85681 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:56:29.212905884 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:56:29.527884007 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85681 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:56:32.754371881 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:56:33.069169044 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85684 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:56:36.822655916 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:56:37.137631893 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85688 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:56:40.487541914 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:56:40.802681923 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85692 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:56:41.713519096 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:56:42.030039072 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85693 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:56:45.290602922 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:56:45.605163097 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85697 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:56:46.515279055 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:56:46.831257105 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85698 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:56:47.756593943 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:56:48.071665049 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85699 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:56:53.383527040 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:56:53.697928905 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85705 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:56:54.873889923 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:56:55.188147068 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85707 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:56:56.758738995 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:56:57.407737970 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85708 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:56:57.445297956 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85708 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:57:07.419903040 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:57:17.564970970 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:57:18.697978020 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:57:19.012578964 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85730 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:57:24.252266884 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:57:24.566792011 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85736 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:57:25.476268053 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:57:25.790882111 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85737 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:57:31.552139044 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:57:31.867896080 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85743 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:57:41.881221056 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:57:52.009203911 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:58:00.173393965 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:58:00.487938881 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 85772 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:58:10.501092911 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:58:20.633898020 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:58:30.758569956 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:58:40.888230085 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:58:51.017050982 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:59:01.145307064 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49738	34.107.221.82	80	8180	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 10:56:27.710391998 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:56:28.796020031 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81526 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:56:28.894429922 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:56:29.208479881 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81527 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:56:29.272444963 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:56:29.589440107 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81527 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:56:32.798187017 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:56:33.113054037 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81530 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:56:37.563812971 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:56:37.878398895 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81535 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:56:41.164747953 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:56:41.485447884 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81539 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:56:44.969583988 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:56:45.287169933 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81543 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:56:46.197626114 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:56:46.511991024 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81544 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:56:47.432023048 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:56:47.752801895 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81545 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:56:53.063658953 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:56:53.380008936 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81551 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:56:54.556452990 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:56:54.870786905 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81552 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:56:56.434046030 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:56:56.754945040 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81554 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:57:06.764664888 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:57:16.894220114 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:57:18.375224113 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:57:18.692403078 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81576 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:57:23.932229996 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:57:24.248644114 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81582 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:57:25.157808065 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:57:25.472532034 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81583 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:57:31.233570099 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:57:31.548295021 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81589 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:57:41.549041986 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:57:51.677323103 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:57:59.854098082 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:58:00.168554068 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 81618 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:58:10.178050995 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:58:20.307841063 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:58:30.435439110 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:58:40.565284967 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:58:50.693926096 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:59:00.822339058 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.7	50036	34.107.221.82	80

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 10:59:21.654530048 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:59:22.743232012 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 85797 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	04:56:13
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x4f0000
File size:	966'656 bytes
MD5 hash:	9B55AFC1CA0156A623D6C797CF48EA06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:56:14
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x50000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:56:14
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:56:17
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x50000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:56:17
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:56:17
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x50000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:56:17
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x300000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:56:18
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x50000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:56:18
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:56:18
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x50000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:56:18
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:56:18
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:56:19
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:56:19
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	04:56:20
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2228 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {022ee35d-a47f-4ab3-bd88-1e2c404edb4e} 8180 "\\.\pipe\gecko-crash-server-pipe.8180" 1c6b916f510 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	04:56:23
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4300 -parentBuildID 20230927232528 -prefsHandle 4292 -prefMapHandle 4288 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c7bbade-4914-4451-9f5f-f7af1ec7525f} 8180 "\\.\pipe\gecko-crash-server-pipe.8180" 1c6cb1eae10 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	04:56:28
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5156 -prefMapHandle 5140 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6987848a-6474-4c66-8425-c2913ad113aa} 8180 "\\.\pipe\gecko-crash-server-pipe.8180" 1c6ca2c4310 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.3%
Total number of Nodes:	1750
Total number of Limit Nodes:	61

Executed Functions

Function 004F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004F430D

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

GetCurrentProcess.KERNEL32(?,0058CB64,00000000,?,?), ref: 004F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 004F4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 004F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004F4466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 004F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 004F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004F44A0

Strings

kernel32.dll, xrefs: 004F444F
GetNativeSystemInfo, xrefs: 004F4460
|O, xrefs: 005336F8

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 710b43d934ff1eed517e4edb07e14542cce83ec1f580481210aa4026e0b72be8
Instruction ID: 6b81fa5c1b001c5696f9db8654650fac93d5a236c42a967e1b7b4aedc5394d8f
Opcode Fuzzy Hash: 710b43d934ff1eed517e4edb07e14542cce83ec1f580481210aa4026e0b72be8
Instruction Fuzzy Hash: 26A1143191AEC4CFC712C7A87C419A63FA47B73F48B145D99D441A3A23D638460DEB2E

Function 004F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004F50AA,?,?,00000000,00000000), ref: 004F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004F50AA,?,?,00000000,00000000), ref: 004F42C9
LoadResource.KERNEL32(?,00000000,?,?,004F50AA,?,?,00000000,00000000,?,?,?,?,?,?,004F4F20), ref: 005335BE
SizeofResource.KERNEL32(?,00000000,?,?,004F50AA,?,?,00000000,00000000,?,?,?,?,?,?,004F4F20), ref: 005335D3
LockResource.KERNEL32(004F50AA,?,?,004F50AA,?,?,00000000,00000000,?,?,?,?,?,?,004F4F20,?), ref: 005335E6

Strings

SCRIPT, xrefs: 004F42BF

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 15f83ed939a37e651509a092ae384fc5d9a62843a479c99c2ec9075e1183d44a
Instruction ID: a1656488022dcaf32c65ef728da209c720ff0fbd563d9dde438c271eac9d1236
Opcode Fuzzy Hash: 15f83ed939a37e651509a092ae384fc5d9a62843a479c99c2ec9075e1183d44a
Instruction Fuzzy Hash: 47117C74200704BFE7218B65DC48F277FB9EBD5B91F1081AAF902A66A0DB71D8049B30

Function 00532BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 004F2B6B

Part of subcall function 004F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005C1418,?,004F2E7F,?,?,?,00000000), ref: 004F3A78

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,005B2224), ref: 00532C10
ShellExecuteW.SHELL32(00000000,?,?,005B2224), ref: 00532C17

Strings

runas, xrefs: 00532C0B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 57fa3dd514db39ff27494aa028dd35cf8192fa7d9037e0f9955d8cc8aa5bdd0b
Instruction ID: 1e1a4abb521f2d19feecc91ce96f6e213c0b1725f8985747473072b63dce7234
Opcode Fuzzy Hash: 57fa3dd514db39ff27494aa028dd35cf8192fa7d9037e0f9955d8cc8aa5bdd0b
Instruction Fuzzy Hash: 4911E7311087496ECB05FF61D852EBEBBE4AB91745F04141FF742520A3DF789909D71A

Function 0055D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0055D501
Process32FirstW.KERNEL32(00000000,?), ref: 0055D50F
Process32NextW.KERNEL32(00000000,?), ref: 0055D52F
CloseHandle.KERNEL32(00000000), ref: 0055D5DC

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 19245ac625c0e95a005a49d4cdc22b8e8fafc7ed323133e91b0c52539203ce7a
Instruction ID: 3e7d0f6ed1dcbe74b3832d36a982f1d13412bd6f21aa4dccb6748b74ff99dddd
Opcode Fuzzy Hash: 19245ac625c0e95a005a49d4cdc22b8e8fafc7ed323133e91b0c52539203ce7a
Instruction Fuzzy Hash: 3B3192720082059FD310EF54C895ABFBFF8AF99344F14092EF985921A1EB719948CBA2

Function 0055DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00535222), ref: 0055DBCE
GetFileAttributesW.KERNEL32(?), ref: 0055DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0055DBEE
FindClose.KERNEL32(00000000), ref: 0055DBFA

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 4b2d7073b9073fd5d5d27be9d3b8f32dc83ba13fb61b89dcfaf34d4b36ed428b
Instruction ID: 6eaccaa566848c88fa641c5c01fb2f7fc7fb9f78c5503ddcb22ee4b0fce20b12
Opcode Fuzzy Hash: 4b2d7073b9073fd5d5d27be9d3b8f32dc83ba13fb61b89dcfaf34d4b36ed428b
Instruction Fuzzy Hash: D0F08C328109109782306B68AC0D8AE3FBCAE41336B104702FC77D20E0EBB06D5C9AA5

Function 0054D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0054D220

Strings

X64, xrefs: 0054D2A8
%.3d, xrefs: 0054D22B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 730e5f74c40af581f9424d94f386303e862d4d243933a2a4e6d8d61f288c26de
Instruction ID: 0fa13e84f8bce61c00e3efa483571e1f1d0a02699c63d643e296b4607dd39546
Opcode Fuzzy Hash: 730e5f74c40af581f9424d94f386303e862d4d243933a2a4e6d8d61f288c26de
Instruction Fuzzy Hash: 40D0627980D119EACB9096D0DC499FDBFBCBB58345F548C52FD07A1080E674D5486B71

Function 00514CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005228E9,?,00514CBE,005228E9,005B88B8,0000000C,00514E15,005228E9,00000002,00000000,?,005228E9), ref: 00514D09
TerminateProcess.KERNEL32(00000000,?,00514CBE,005228E9,005B88B8,0000000C,00514E15,005228E9,00000002,00000000,?,005228E9), ref: 00514D10
ExitProcess.KERNEL32 ref: 00514D22

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f1faec4a13b9a7d7cb52d8299fb74dd9e1e665379c47b51032c74edd68721702
Instruction ID: 39dbaad73aeaeead5e5ab53279e6e4b1597345be37f9e8b97de0e9466a4e1658
Opcode Fuzzy Hash: f1faec4a13b9a7d7cb52d8299fb74dd9e1e665379c47b51032c74edd68721702
Instruction Fuzzy Hash: 16E0B631000148ABDF11AF54ED0DA983F69FF92B81B105414FC099A122CB35ED86EF90

Function 0054D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0054D28C

Strings

X64, xrefs: 0054D2A8

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: b39a71044f7b136be5c18ac40455803316336d221c7ba7c3b01e27af3704feb1
Instruction ID: 5df1ab823502b6d4406a587f285b277da4ce5df5bdc5c6ebb5112ea5b210a8af
Opcode Fuzzy Hash: b39a71044f7b136be5c18ac40455803316336d221c7ba7c3b01e27af3704feb1
Instruction Fuzzy Hash: DFD0C9B480511DEBCB90CB90DC8CDDDBB7CBB14345F100551F506A2140D77495489F20

Function 004FBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#\, xrefs: 005407CE

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#\
API String ID: 3964851224-2009390076
Opcode ID: 110c2204d122c597c59fc03013d79d9160a5576a1b35e8801bf2ed1ed924d4fe
Instruction ID: 3020bb3dec30f43ca972c219665cbe904977c9c5ebc8bfd6b550369f27c3b636
Opcode Fuzzy Hash: 110c2204d122c597c59fc03013d79d9160a5576a1b35e8801bf2ed1ed924d4fe
Instruction Fuzzy Hash: 63A27E705083458FD714DF14C580B6ABBE1FF89308F24896EEA8A8B392D775EC45CB96

Function 0057AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0057B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0057B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0057B1D4
_wcslen.LIBCMT ref: 0057B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0057B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0057B236
_wcslen.LIBCMT ref: 0057B332

Part of subcall function 005605A7: GetStdHandle.KERNEL32(000000F6), ref: 005605C6

_wcslen.LIBCMT ref: 0057B34B
_wcslen.LIBCMT ref: 0057B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0057B3B6
GetLastError.KERNEL32(00000000), ref: 0057B407
CloseHandle.KERNEL32(?), ref: 0057B439
CloseHandle.KERNEL32(00000000), ref: 0057B44A
CloseHandle.KERNEL32(00000000), ref: 0057B45C
CloseHandle.KERNEL32(00000000), ref: 0057B46E
CloseHandle.KERNEL32(?), ref: 0057B4E3

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 8adbcca68c626e7e610bb07aa3a284ec31b0b67cf3c329a4ce6b9af28c81a48b
Instruction ID: 890f7f5d3bdd2ae729f8857758e9ee1b2664fb74599216ef257d29a7e3475c11
Opcode Fuzzy Hash: 8adbcca68c626e7e610bb07aa3a284ec31b0b67cf3c329a4ce6b9af28c81a48b
Instruction Fuzzy Hash: F9F1CC315043009FEB24EF25D895B6EBBE1BF85314F14885EF9898B2A2CB35EC44DB52

Function 004FD730 Relevance: 21.6, APIs: 14, Instructions: 626windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004FD807
timeGetTime.WINMM ref: 004FDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004FDB28
TranslateMessage.USER32(?), ref: 004FDB7B
DispatchMessageW.USER32(?), ref: 004FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004FDB9F
Sleep.KERNEL32(0000000A), ref: 004FDBB1

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 46ac4dbc356381b1303de3d0e74fc9cf9aebb8d787255f283ef75039ea5b3a4f
Instruction ID: cb4b04c06aa066c081c47a71e8d214bf79a7b0b1b70b6268f7affc4e0bd2f7f7
Opcode Fuzzy Hash: 46ac4dbc356381b1303de3d0e74fc9cf9aebb8d787255f283ef75039ea5b3a4f
Instruction Fuzzy Hash: 29420370A04646DFD728CF24C888FBABBA2FF85308F54451EF95587291C7B4E844DB9A

Function 004F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004F2D07
RegisterClassExW.USER32(00000030), ref: 004F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004F2D42
InitCommonControlsEx.COMCTL32(?), ref: 004F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004F2D6F
LoadIconW.USER32(000000A9), ref: 004F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004F2D94

Strings

0, xrefs: 004F2CE9
TaskbarCreated, xrefs: 004F2D37
+, xrefs: 004F2CF0
AutoIt v3 GUI, xrefs: 004F2D23

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 4104e8db21216a91a5109d7b010f76bf082969c465e70d000720e223168efe13
Instruction ID: 38ae9de8e31270e70104911f10ea1465e91f8326e97706ec39918a7c2c7628a0
Opcode Fuzzy Hash: 4104e8db21216a91a5109d7b010f76bf082969c465e70d000720e223168efe13
Instruction Fuzzy Hash: 8E21EFB5901608EFDB00DFA4E889A9DBFB4FB19700F00811AFA11B62A0D7B14548EFA5

Function 0053065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0053039A: CreateFileW.KERNEL32(00000000,00000000,?,00530704,?,?,00000000,?,00530704,00000000,0000000C), ref: 005303B7

GetLastError.KERNEL32 ref: 0053076F
__dosmaperr.LIBCMT ref: 00530776
GetFileType.KERNEL32(00000000), ref: 00530782
GetLastError.KERNEL32 ref: 0053078C
__dosmaperr.LIBCMT ref: 00530795
CloseHandle.KERNEL32(00000000), ref: 005307B5
CloseHandle.KERNEL32(?), ref: 005308FF
GetLastError.KERNEL32 ref: 00530931
__dosmaperr.LIBCMT ref: 00530938

Strings

H, xrefs: 005308BD

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b38d3140aa378b2b2308e2419439a1aecb8001c9a5ba0cd84f0c2ced2a2faa39
Instruction ID: e75f4dea61ff8f3cf903d26927cbddbb5e5a27b494e0f8332ad5281b5e4b3c9b
Opcode Fuzzy Hash: b38d3140aa378b2b2308e2419439a1aecb8001c9a5ba0cd84f0c2ced2a2faa39
Instruction Fuzzy Hash: AAA12736A002098FDF19AF68DC66BAD7FA0FB46320F14115DF811EB2D1DB319856DB91

Function 004F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005C1418,?,004F2E7F,?,?,?,00000000), ref: 004F3A78

Part of subcall function 004F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004F3379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0053318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005331CE
RegCloseKey.ADVAPI32(?), ref: 00533210
_wcslen.LIBCMT ref: 00533277
_wcslen.LIBCMT ref: 00533286

Strings

Software\AutoIt v3\AutoIt, xrefs: 004F3560
Include, xrefs: 00533184, 005331C5
\, xrefs: 0053328C
\Include\, xrefs: 004F3527

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 52c8108efd67d521c136daeca2c01cadc9c49d7deff226addc1330d014255f5d
Instruction ID: 25129ff110cfe01b9c40d73d85d2d515be9b8c2bd718ce4c30a745cca8c52120
Opcode Fuzzy Hash: 52c8108efd67d521c136daeca2c01cadc9c49d7deff226addc1330d014255f5d
Instruction Fuzzy Hash: 0D71BC714043459EC304EF66DC85DABBFE8FFA4B44F40092EF545931A0EB789A48CBA6

Function 004F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004F2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 004F2B9D
LoadIconW.USER32(00000063), ref: 004F2BB3
LoadIconW.USER32(000000A4), ref: 004F2BC5
LoadIconW.USER32(000000A2), ref: 004F2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004F2BEF
RegisterClassExW.USER32(?), ref: 004F2C40

Part of subcall function 004F2CD4: GetSysColorBrush.USER32(0000000F), ref: 004F2D07
Part of subcall function 004F2CD4: RegisterClassExW.USER32(00000030), ref: 004F2D31
Part of subcall function 004F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004F2D42
Part of subcall function 004F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 004F2D5F
Part of subcall function 004F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004F2D6F
Part of subcall function 004F2CD4: LoadIconW.USER32(000000A9), ref: 004F2D85
Part of subcall function 004F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004F2D94

Strings

0, xrefs: 004F2C0F
AutoIt v3, xrefs: 004F2C2F
#, xrefs: 004F2C16

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1ca4eb56aabf3c985de5b023b667a99d657d60f5c12d37b679070680c6c86c37
Instruction ID: 4c25a053c0cda6c17238a100147957fc0c0222691880fa5d0bb5ae76140035bf
Opcode Fuzzy Hash: 1ca4eb56aabf3c985de5b023b667a99d657d60f5c12d37b679070680c6c86c37
Instruction Fuzzy Hash: BD217C70E00B58AFDB109FA5EC44EA97FB4FB19F44F00041AEA00A26A1D3B54518EF98

Function 004FB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004FBB4E

Strings

p#\, xrefs: 00540263
x#\, xrefs: 00540207
p#\, xrefs: 004FBB6B
p#\, xrefs: 0054024F
p#\, xrefs: 004FBA72
p%\, xrefs: 004FB8DC
x#\, xrefs: 00540168
p%\, xrefs: 004FBB32

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#\$p#\$p#\$p#\$p%\$p%\$x#\$x#\
API String ID: 1385522511-1182363912
Opcode ID: ad4619ece5d4e7ed7090bd9d0ad6e095dbcef8bfafcb0d214e988ec752fa4255
Instruction ID: 70531d6452acad8dfa0f65c29f5488f61a98d595220a946438c34690cf928af5
Opcode Fuzzy Hash: ad4619ece5d4e7ed7090bd9d0ad6e095dbcef8bfafcb0d214e988ec752fa4255
Instruction Fuzzy Hash: C432AE74A002099FDB20DF54C894EBEBBB5FF45344F24845AEA05AB391C7B8ED42CB95

Function 004F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,004F316A,?,?), ref: 004F31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,004F316A,?,?), ref: 004F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,004F316A,?,?), ref: 004F3232
CreatePopupMenu.USER32 ref: 004F3246
PostQuitMessage.USER32(00000000), ref: 004F3267

Strings

TaskbarCreated, xrefs: 004F322D

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8986da5736fe6059fe443c08157af9cbb96c155fa2d6c7b0fbdbb834ba496abf
Instruction ID: 30b4f9664f4c61c5d099bca9711afec9f63e84147e5a875e400832471b4b7095
Opcode Fuzzy Hash: 8986da5736fe6059fe443c08157af9cbb96c155fa2d6c7b0fbdbb834ba496abf
Instruction Fuzzy Hash: 79414D31200908AEDB142FB89D0DF7A3E58F71634AF04011BFB06D5292CB79DE45A7AD

Function 004FDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%\, xrefs: 004FE1E0
Variable must be of type 'Object'., xrefs: 005432B7
D%\D%\, xrefs: 004FE27E
D%\, xrefs: 0054302D
D%\, xrefs: 00542FDA
D%\, xrefs: 004FE4B1

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: D%\$D%\$D%\$D%\$D%\D%\$Variable must be of type 'Object'.
API String ID: 0-561792132
Opcode ID: bf4a58cdc2e31952f932020b0db200f1501080e7cd7f0740920fc98d29638938
Instruction ID: 294d7d692a9a980ed136a4cc7704aaca63ec3d9b79024b7314c923a49e4ac42e
Opcode Fuzzy Hash: bf4a58cdc2e31952f932020b0db200f1501080e7cd7f0740920fc98d29638938
Instruction Fuzzy Hash: 90C2AF71A00209CFCB24CF5AC884ABEBBF1BF54305F14856AEA05AB3A1D379ED41CB55

Function 004FEC40 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004FFE66

Strings

D%\, xrefs: 004FEFB7
D%\, xrefs: 0054491E
D%\, xrefs: 004FF36A
D%\D%\, xrefs: 004FF05B
D%\, xrefs: 00544972

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%\$D%\$D%\$D%\$D%\D%\
API String ID: 1385522511-2509346657
Opcode ID: 7d2f271f5e655e256c1f62148ab3021dfc6e02420ab3fced304605e14bf0839c
Instruction ID: 6d8259303ffa46c8f4992bf044589bdfd164421251e7a1e1d82e2e9b73fa2213
Opcode Fuzzy Hash: 7d2f271f5e655e256c1f62148ab3021dfc6e02420ab3fced304605e14bf0839c
Instruction Fuzzy Hash: E7B29D74604345CFDB24CF15C480A3ABBE1BF99304F24486EEA859B3A1D779EC49CB96

Function 004F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004F1459
CoUninitialize.COMBASE ref: 004F14F8
UnregisterHotKey.USER32(?), ref: 004F16DD
DestroyWindow.USER32(?), ref: 005324B9
FreeLibrary.KERNEL32(?), ref: 0053251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0053254B

Strings

close all, xrefs: 004F1454

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2e24881d2550a95c3be3c4a7a11e7a4bfb93ce4d1eddff0301aaa1f450e48bce
Instruction ID: 735fb3387b4a4a2dbfca8b00ed898671b0f2e9062b8bd1d07db6d1e852e97d44
Opcode Fuzzy Hash: 2e24881d2550a95c3be3c4a7a11e7a4bfb93ce4d1eddff0301aaa1f450e48bce
Instruction Fuzzy Hash: 8BD19D31701612CFDB29EF15C499A39FBA4BF44704F1441AEE94AAB262CB34ED12CF55

Function 0055DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 0055DE42
gethostname.WS2_32(?,00000100), ref: 0055DE5C
gethostbyname.WS2_32(?), ref: 0055DE69
inet_ntoa.WSOCK32(?), ref: 0055DEAB
_strcat.LIBCMT ref: 0055DEB9
WSACleanup.WSOCK32 ref: 0055DEDE

Strings

0.0.0.0, xrefs: 0055DE87

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: fdbd8793525afc7c74156285ddb8d103c7b59fdf362875d75c179ced6ad4d0f9
Instruction ID: 7c28a31f412502d1025c32b7b25a1374585f204598dcd66911eb6d12f7dbdd46
Opcode Fuzzy Hash: fdbd8793525afc7c74156285ddb8d103c7b59fdf362875d75c179ced6ad4d0f9
Instruction Fuzzy Hash: 7111E73250411AABDB30AB209C0BEEE7FBCFB51712F00016AF905E6091EF748A859B70

Function 004F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004F2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004F2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,004F1CAD,?), ref: 004F2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,004F1CAD,?), ref: 004F2CCF

Strings

AutoIt v3, xrefs: 004F2C89, 004F2C8E, 004F2C8F
edit, xrefs: 004F2CAC

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 6d4e602f80abdba1cb28af85e22bc9f6807da865f55936a0ed7bfb942426f658
Instruction ID: ec3936e1dfff7423e7330c8ab5e7c5297f6e52e4640b00a036a758997baadac9
Opcode Fuzzy Hash: 6d4e602f80abdba1cb28af85e22bc9f6807da865f55936a0ed7bfb942426f658
Instruction Fuzzy Hash: 6FF0DA75640AD07EEB311717AC08E772EBDE7E7F54B01045EFD00A25A1C6751858EAB8

Function 004F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,004F3B0F,SwapMouseButtons,00000004,?), ref: 004F3B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,004F3B0F,SwapMouseButtons,00000004,?), ref: 004F3B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,004F3B0F,SwapMouseButtons,00000004,?), ref: 004F3B83

Strings

Control Panel\Mouse, xrefs: 004F3B3E

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 627100c6bf53260b327327e2ceed15152bf757738cd1fe5057c097919bac7de3
Instruction ID: a2cf8babd90cdc2959f8d9270765ea6519557d4e5fa51e242904d38edf7f2182
Opcode Fuzzy Hash: 627100c6bf53260b327327e2ceed15152bf757738cd1fe5057c097919bac7de3
Instruction Fuzzy Hash: 41115AB1511208FFDB208FA4DC48ABFBBB8EF00785B10445AA901E7211D235AE45A764

Function 0054D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0054D3BF
FreeLibrary.KERNEL32 ref: 0054D3E5

Strings

X64, xrefs: 0054D2A8
GetSystemWow64DirectoryW, xrefs: 0054D3B9

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 7f0ea576a2b450641892ae39a21d4b79cfc2314d7ad31d1fd2b8e79c36088864
Instruction ID: 99a3607d824bb276fc37a38d75f415e6e2224734ea4a52e3dc6f6cb08bc1bdbb
Opcode Fuzzy Hash: 7f0ea576a2b450641892ae39a21d4b79cfc2314d7ad31d1fd2b8e79c36088864
Instruction Fuzzy Hash: 78F0EC365096119BD7716A104C58ADD3F747F11F09BA44D55EC02F5245D7B4CD4487B1

Function 004F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005333A2

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 004F3A04

Strings

Line: , xrefs: 005333EB

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 8f39d97298df3fbf888ba7e88641615fd52e348f8819cddedf00c0868af2e421
Instruction ID: e35f481acad3830aad2a56e68204144a77b16b5e6c2efed3f3fadf02d8b9fd56
Opcode Fuzzy Hash: 8f39d97298df3fbf888ba7e88641615fd52e348f8819cddedf00c0868af2e421
Instruction Fuzzy Hash: 1B31E471408708AED321EF10DC45FFBB7D8AB41719F00492FF69992191DB789A48C7DA

Function 004F2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00532C8C

Part of subcall function 004F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F3A97,?,?,004F2E7F,?,?,?,00000000), ref: 004F3AC2

Part of subcall function 004F2DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004F2DC4

Strings

X, xrefs: 00532C5A
`e[, xrefs: 00532C85

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e[
API String ID: 779396738-1307940800
Opcode ID: 392839ef67f744aa27b9c4a3d11d83f539c44bee301c27e9a73d644e40b2b657
Instruction ID: 52e0ac121eb2c689d10b6842b1aa61fd34ce948ebe7801e52c91f912e6df340b
Opcode Fuzzy Hash: 392839ef67f744aa27b9c4a3d11d83f539c44bee301c27e9a73d644e40b2b657
Instruction Fuzzy Hash: CF219371A0069CAFDF01DF95C849BEE7BF8AF89304F00405AE505B7241DBB85A898F65

Function 0050FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00510668

Part of subcall function 005132A4: RaiseException.KERNEL32(?,?,?,0051068A,?,005C1444,?,?,?,?,?,?,0051068A,004F1129,005B8738,004F1129), ref: 00513304

__CxxThrowException@8.LIBVCRUNTIME ref: 00510685

Strings

Unknown exception, xrefs: 00510692

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 24a43dcefec2f26755799e01c95028e112391be58be0675e6c3855d1b4aa3c11
Instruction ID: 8f96a75297513f39aacb60dd3c8629d8886978e6489b32a93e9cf491dc14321a
Opcode Fuzzy Hash: 24a43dcefec2f26755799e01c95028e112391be58be0675e6c3855d1b4aa3c11
Instruction Fuzzy Hash: 7AF0C83490020E77DF10BA64D84ACDD7F6D7E80350B604531B924959D1EFB1EAD5CA80

Function 004F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004F1BF4
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 004F1BFC
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004F1C07
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004F1C12
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 004F1C1A
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 004F1C22

Part of subcall function 004F1B4A: RegisterWindowMessageW.USER32(00000004,?,004F12C4), ref: 004F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004F136A
OleInitialize.OLE32 ref: 004F1388
CloseHandle.KERNEL32(00000000,00000000), ref: 005324AB

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 285ffcbce85cf8a8ba0fa288080fe8920882093417d2b103e8582cd0f9ac3a02
Instruction ID: 50f23171d1d50d3f26523bde95f7acb43213616b85e00c2da998aabd50526d04
Opcode Fuzzy Hash: 285ffcbce85cf8a8ba0fa288080fe8920882093417d2b103e8582cd0f9ac3a02
Instruction Fuzzy Hash: 2C71DDB4805E048EC784EF7AA985E653EE0FBAB344754812ED50AD7363EB348008EF5C

Function 0055C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 004F3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0055C259
KillTimer.USER32(?,00000001,?,?), ref: 0055C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0055C270

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 104bc1ea3475ac88d6de583b7a1ffda4af7484d8ee4d64f2bdd0e5c1ec581d3d
Instruction ID: 8b16011d5e051b6476ac069e1096097eaec499ed8ece7f2eab7422101eefcb8c
Opcode Fuzzy Hash: 104bc1ea3475ac88d6de583b7a1ffda4af7484d8ee4d64f2bdd0e5c1ec581d3d
Instruction Fuzzy Hash: 6331E8749047446FEB228F648855BE7BFECAB12309F00049ED9DAA7141C3745A88CB51

Function 005286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,005285CC,?,005B8CC8,0000000C), ref: 00528704
GetLastError.KERNEL32(?,005285CC,?,005B8CC8,0000000C), ref: 0052870E
__dosmaperr.LIBCMT ref: 00528739

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: e424849e94679f182e983f637f1023ff31c03879b89160e592167d0d3d7041d5
Instruction ID: 52bb46692c306491314e821afa7082f42627cf7033d5a14563c39e46c4a08ae8
Opcode Fuzzy Hash: e424849e94679f182e983f637f1023ff31c03879b89160e592167d0d3d7041d5
Instruction Fuzzy Hash: 2D016B336066302AD624A6B4784DB7E2F49AFF3774F381519F8149B1D3EEB19C819290

Function 004FDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 004FDB7B
DispatchMessageW.USER32(?), ref: 004FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004FDB9F
Sleep.KERNEL32(0000000A), ref: 004FDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00541CC9

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 399c147d4b632e44df675201a354f7e393ddf93202fd8a3dcaa16189e9d0439f
Instruction ID: d1fdd041f192ff3ebc39705576d2f32700e9cf1d3baee0e2a0308d27c05e85a6
Opcode Fuzzy Hash: 399c147d4b632e44df675201a354f7e393ddf93202fd8a3dcaa16189e9d0439f
Instruction Fuzzy Hash: 3AF05E306447459BEB30DBA08C89FEB7BA9FB95350F104A19E61AD30D0DB34A4899B2D

Function 00501310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005017F6

Strings

CALL, xrefs: 005017C6

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e1a26da5d5a394d03e461ec13bd2c8f2252eefdf1d018ca2627d85d4d2694e2e
Instruction ID: 5b9864dceb0e79ba70f9e0bc395327bbfab07143e252d92aae496a94cb6774d3
Opcode Fuzzy Hash: e1a26da5d5a394d03e461ec13bd2c8f2252eefdf1d018ca2627d85d4d2694e2e
Instruction Fuzzy Hash: 322289706086429FC714DF14C884B6EBFF1BF85318F18891DF4968B2A2D772E945CB96

Function 005001E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07adc4728876f596f00056b3645091960807c5aefce9edc823b82dce6568a3be
Instruction ID: 16079b5989768de7003a74bd3abd54ef04e550ab1154bf15074bfd53d09011ef
Opcode Fuzzy Hash: 07adc4728876f596f00056b3645091960807c5aefce9edc823b82dce6568a3be
Instruction Fuzzy Hash: C532C034A00606DFCF24DF54C889BEEBBB1BF45318F144969E915AB2E2E731AD44CB91

Function 0054D363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 0054D375

Strings

X64, xrefs: 0054D2A8

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: 72dcf0de9ec852e0a0a1dadedc1cc9316801acc3d6a5ab6ea0218e56007e72bb
Instruction ID: 855d943d60c6344699376a843ae0c7cd0ada7216a15cc10219180e30621f820f
Opcode Fuzzy Hash: 72dcf0de9ec852e0a0a1dadedc1cc9316801acc3d6a5ab6ea0218e56007e72bb
Instruction Fuzzy Hash: 59D0C9B9809218EBCB90CB80DC88DDDBBBCBB14305F504991F406A2140DB7495489B30

Function 004F3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 004F3908

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: e6224ff943fb7f4fc7fa7a997cc7c865654509b19da0627bffa7140f67111a10
Instruction ID: 75ffe02f89301cfb2f30f79de331acd1449925692acfbde470288d26e499ddc6
Opcode Fuzzy Hash: e6224ff943fb7f4fc7fa7a997cc7c865654509b19da0627bffa7140f67111a10
Instruction Fuzzy Hash: 3631D170504B058FD720EF24D884BA7BBE4FB49749F00082EFA9983251E779AA48CB56

Function 0050F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0050F661

Part of subcall function 004FD730: GetInputState.USER32 ref: 004FD807

Sleep.KERNEL32(00000000), ref: 0054F2DE

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 17bcdfe02cca87f133b3badde27de06a5b8bb1bf05af1dd473b5a3f146b33c41
Instruction ID: ddca7989d9424e9ae8fb39135a134b9eed4685a07b457e0619188e88e3fb1c7d
Opcode Fuzzy Hash: 17bcdfe02cca87f133b3badde27de06a5b8bb1bf05af1dd473b5a3f146b33c41
Instruction Fuzzy Hash: 8EF08231244205AFD310EF69D859B6ABBE9FF55764F00002EE959D7260DB74A800CB94

Function 004F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004F4EDD,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E9C
Part of subcall function 004F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004F4EAE
Part of subcall function 004F4E90: FreeLibrary.KERNEL32(00000000,?,?,004F4EDD,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4EFD

Part of subcall function 004F4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00533CDE,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E62
Part of subcall function 004F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004F4E74
Part of subcall function 004F4E59: FreeLibrary.KERNEL32(00000000,?,?,00533CDE,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E87

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 33567cadc3559736a15d67c546520b173f55d25d6c7b6946374efa088c82bcd3
Instruction ID: bcdd7d6bc77b4f7cd1ba907a2acdaaec4c270f5dcc1dee7ef3c3b3ebcb13a524
Opcode Fuzzy Hash: 33567cadc3559736a15d67c546520b173f55d25d6c7b6946374efa088c82bcd3
Instruction Fuzzy Hash: DD112731600209ABCB10BF61DC02FBE7BA5AF80714F10842EF646B71C1DE789E459764

Function 00528402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00528440

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: e5cfaa086d7a222c1e952dbffbc000d65fe1efedfae357622860697dd246e953
Instruction ID: 082fad20926c69eb69d7223b01b577125ad287d83e74747e7e3642efbeef6a2b
Opcode Fuzzy Hash: e5cfaa086d7a222c1e952dbffbc000d65fe1efedfae357622860697dd246e953
Instruction Fuzzy Hash: DC11487190420AAFCF05DF98E9409AE7BF4FF49304F144059F808AB352DA30DA21CBA4

Function 00525000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00524C7D: RtlAllocateHeap.NTDLL(00000008,004F1129,00000000,?,00522E29,00000001,00000364,?,?,?,0051F2DE,00523863,005C1444,?,0050FDF5,?), ref: 00524CBE

_free.LIBCMT ref: 0052506C

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 3ad2b5111f9dd7850ed5ad519982c5cb88723445dbc162a47095ab69346673d6
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 1F0126722047156BE3218F69AC89A5AFFECFFCA370F65051DE184932C0EA30A805C6B4

Function 0051E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d03c47c2122cc62064b9c27c73e0860f4307581dec9a1fb5ec985190622a2973
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 7DF0F936511A21A6E7313A65BC0EBD63F98BFD3374F100B15F825921D1CB70A881C6A5

Function 004F9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004F9CBD

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: adafec5abc8015c7044a09e001c359287384851bfa8f5e3c1cb68c0661a74ac0
Instruction ID: 427a8ffc29f1ef4fc3fa15ad085851131694f4325b9a9a877ce43bc6db47ee35
Opcode Fuzzy Hash: adafec5abc8015c7044a09e001c359287384851bfa8f5e3c1cb68c0661a74ac0
Instruction Fuzzy Hash: 1FF0C8B36006056ED7249F29D806BABBF98FB84760F10852BF619CB1D1DB71E550CBA4

Function 00524C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,004F1129,00000000,?,00522E29,00000001,00000364,?,?,?,0051F2DE,00523863,005C1444,?,0050FDF5,?), ref: 00524CBE

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b277da0f6ff37d818e56ea6539910725da6082fa176a43b7fd447460c2f3b0d8
Instruction ID: 4d888ff893b205f20a96ecaf919b331fc856b841ac174b740e77b6a88ec0fee6
Opcode Fuzzy Hash: b277da0f6ff37d818e56ea6539910725da6082fa176a43b7fd447460c2f3b0d8
Instruction Fuzzy Hash: 08F0E93260263567EB215F7AFC09F9A3F88BF937A0B144121BC15B62C1CA70DC019EE0

Function 00523820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 90f8b6505b1732639fc522c52f318cdbc8564122b29d56c0b81c938359946cf2
Instruction ID: ad865d6f532c1a5a7ca3659fb72beee7a6791d03a7dadaec02eb50ba58210594
Opcode Fuzzy Hash: 90f8b6505b1732639fc522c52f318cdbc8564122b29d56c0b81c938359946cf2
Instruction Fuzzy Hash: FFE0E53210263556E7212676BC08BDA3E59BF83BB0F160120BD159A5C1CB29DD0186E1

Function 004F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4F6D

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3fb90f22b1a6daa0449057c20518565b53f88af32d1c210f26f38dd0b0998eef
Instruction ID: d7084dd8f6dbea361986a4f05d3b5b5defb084ee19577c26fdf06f741958e4c9
Opcode Fuzzy Hash: 3fb90f22b1a6daa0449057c20518565b53f88af32d1c210f26f38dd0b0998eef
Instruction Fuzzy Hash: FCF03071505756CFDB349F64D494823BBE4BF54329310897FE6DE82621CB359888DF28

Function 00582A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00582A66

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 1bc947db62df2cd1de3aa28fabf27ab5cdc42bce46cab135a315961bff499bf5
Instruction ID: 45254700a147520fd85b5a53c02a9be35787ae25dba5aad2d0220700a4dbe0ea
Opcode Fuzzy Hash: 1bc947db62df2cd1de3aa28fabf27ab5cdc42bce46cab135a315961bff499bf5
Instruction Fuzzy Hash: 6EE04F76350516AAC718FA30DC948FE7F5CFF90395B104536AC2AE2110EB70999997A0

Function 004F30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 004F314E

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: cd0f8d9ff8f477f722120dcc95658485d95d264fbc007c315733a9fcc232525e
Instruction ID: bdd1690961475d4ca8958c20a03d5555fd83813ec6f42d03eac9783d35eda6e4
Opcode Fuzzy Hash: cd0f8d9ff8f477f722120dcc95658485d95d264fbc007c315733a9fcc232525e
Instruction Fuzzy Hash: 8FF0A7709003489FEB529F24DC49BDA7BBCB70170CF0000E5A64896292DB744B9CCF55

Function 004F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004F2DC4

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0d482feaabd06241f9a37be74749a05fafa1c59015231a8d48fc93449f59757a
Instruction ID: 417e5d9ffb9963d8a51002d53f1605a9559ffb1daafff0e7990d4f3dbaad772f
Opcode Fuzzy Hash: 0d482feaabd06241f9a37be74749a05fafa1c59015231a8d48fc93449f59757a
Instruction Fuzzy Hash: A8E0CD766001245BC71092589C05FEA77DDDFC8790F050075FD09E7248D974AD848664

Function 004F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004F3908

Part of subcall function 004FD730: GetInputState.USER32 ref: 004FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 004F2B6B

Part of subcall function 004F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 004F314E

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 600933ce2bf0869388b08319e6d001cc562697ad7971b857fd4d394eba75ce5a
Instruction ID: 7fac817666d64708b1dad1579ea9a3a8b050021122ed13f78b462eb94510ddf0
Opcode Fuzzy Hash: 600933ce2bf0869388b08319e6d001cc562697ad7971b857fd4d394eba75ce5a
Instruction Fuzzy Hash: 0AE0863170464D0ACA08BF76985297DB799DBE239BF40253FF74247163CE6C89498359

Function 0055DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0055DF40

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 07dd86f9bc059a9c1ca1fbfc725a26b9928972a73795d6820b29648a66987a1f
Instruction ID: dfd3765fb51cff4af5a26622ae3274ed87250ebefcde37bdf520d5814b2ad2c2
Opcode Fuzzy Hash: 07dd86f9bc059a9c1ca1fbfc725a26b9928972a73795d6820b29648a66987a1f
Instruction Fuzzy Hash: 2CD05EA2A003282BDF60A6759C0DDF73AACC740214F0006A1786DD3152E934ED8486B0

Function 0053039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00530704,?,?,00000000,?,00530704,00000000,0000000C), ref: 005303B7

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 07409dd25b2d8edef6ca22cdae67376db4010d7eaeeaa41d3ac7f14503eb49a1
Instruction ID: 44a3621e26ba06cf05dac4bcf07655560a08893ad5be0c7967ad02054c891931
Opcode Fuzzy Hash: 07409dd25b2d8edef6ca22cdae67376db4010d7eaeeaa41d3ac7f14503eb49a1
Instruction Fuzzy Hash: 58D06C3204010DBBDF028F84DD46EDA3FAAFB48714F014000BE1866020C732E821EB90

Function 004F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 004F1CBC

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a63f26e07b35fd0b8b42d2fc65d35b9462081890446a1d7f08075c8a2c069182
Instruction ID: a90d7fa9caaff05a4e8c045ac3ebd7fd49648594f0dcb7004e2a529174bcfef4
Opcode Fuzzy Hash: a63f26e07b35fd0b8b42d2fc65d35b9462081890446a1d7f08075c8a2c069182
Instruction Fuzzy Hash: 76C09B352807049FF6145780BC4AF117754A368F05F044401F609695E3C3F11414FB54

Non-executed Functions

Function 00589576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0058961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0058965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0058969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005896C9
SendMessageW.USER32 ref: 005896F2
GetKeyState.USER32(00000011), ref: 0058978B
GetKeyState.USER32(00000009), ref: 00589798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005897AE
GetKeyState.USER32(00000010), ref: 005897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005897E9
SendMessageW.USER32 ref: 00589810
SendMessageW.USER32(?,00001030,?,00587E95), ref: 00589918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0058992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00589941
SetCapture.USER32(?), ref: 0058994A
ClientToScreen.USER32(?,?), ref: 005899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005899D6
ReleaseCapture.USER32 ref: 005899E1
GetCursorPos.USER32(?), ref: 00589A19
ScreenToClient.USER32(?,?), ref: 00589A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00589A80
SendMessageW.USER32 ref: 00589AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00589AEB
SendMessageW.USER32 ref: 00589B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00589B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00589B4A
GetCursorPos.USER32(?), ref: 00589B68
ScreenToClient.USER32(?,?), ref: 00589B75
GetParent.USER32(?), ref: 00589B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00589BFA
SendMessageW.USER32 ref: 00589C2B
ClientToScreen.USER32(?,?), ref: 00589C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00589CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00589CDE
SendMessageW.USER32 ref: 00589D01
ClientToScreen.USER32(?,?), ref: 00589D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00589D82

Part of subcall function 00509944: GetWindowLongW.USER32(?,000000EB), ref: 00509952

GetWindowLongW.USER32(?,000000F0), ref: 00589E05

Strings

@GUI_DRAGID, xrefs: 0058997D
p#\, xrefs: 00589990
F, xrefs: 00589D07

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#\
API String ID: 3429851547-2312411218
Opcode ID: 23e9f5e995aaa1c02acfadac64dd1da37b9c0b378d0670d1a1c24dc6d17cf004
Instruction ID: 8badfc9561f475c60ac917e63b0ee42ec16394514db9caec1b6a0a66564d3186
Opcode Fuzzy Hash: 23e9f5e995aaa1c02acfadac64dd1da37b9c0b378d0670d1a1c24dc6d17cf004
Instruction Fuzzy Hash: 20428E74204201AFDB24EF29CC44EBABFE5FF49310F180A19FA59AB2A1E731D854DB51

Function 00584873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00584908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00584927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0058494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0058495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0058497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00584A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00584A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00584A7E
IsMenu.USER32(?), ref: 00584A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00584AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00584B20
GetWindowLongW.USER32(?,000000F0), ref: 00584B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00584BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00584C82
wsprintfW.USER32 ref: 00584CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00584CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00584CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00584D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00584D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00584D5A

Strings

%d/%02d/%02d, xrefs: 00584CA8

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: bd47c03b5fff54a61bb932f221a86c37cb778de59f3aed3471e534944bd455f1
Instruction ID: 84692f56d54df094ab99b6d76b13bda94f2af40562dcb3a3cd42f4333deb449d
Opcode Fuzzy Hash: bd47c03b5fff54a61bb932f221a86c37cb778de59f3aed3471e534944bd455f1
Instruction Fuzzy Hash: 1212DD71600256ABEB24AF29CC49FAE7FA8BF85310F104529FD16EB2E1DB749944CF50

Function 0050F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0050F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0054F474
IsIconic.USER32(00000000), ref: 0054F47D
ShowWindow.USER32(00000000,00000009), ref: 0054F48A
SetForegroundWindow.USER32(00000000), ref: 0054F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0054F4AA
GetCurrentThreadId.KERNEL32 ref: 0054F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0054F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0054F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0054F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0054F4DE
SetForegroundWindow.USER32(00000000), ref: 0054F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0054F4F6
keybd_event.USER32(00000012,00000000), ref: 0054F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0054F50B
keybd_event.USER32(00000012,00000000), ref: 0054F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0054F519
keybd_event.USER32(00000012,00000000), ref: 0054F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0054F528
keybd_event.USER32(00000012,00000000), ref: 0054F52D
SetForegroundWindow.USER32(00000000), ref: 0054F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0054F557

Strings

Shell_TrayWnd, xrefs: 0054F46F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ec01ec42f714478a5f00584687f9b3232483ea785d12ccd1b720b570131b7065
Instruction ID: 040998172391237c2394a19f9a5a558464fb10adf957ae3856088f5cedf8b2e7
Opcode Fuzzy Hash: ec01ec42f714478a5f00584687f9b3232483ea785d12ccd1b720b570131b7065
Instruction Fuzzy Hash: 61313D71A40218BBEF206BB99C4AFBF7E6CEB44B54F101465FA05F61D1DAB15900BBB0

Function 00551201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0055170D
Part of subcall function 005516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0055173A
Part of subcall function 005516C3: GetLastError.KERNEL32 ref: 0055174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00551286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005512A8
CloseHandle.KERNEL32(?), ref: 005512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005512D1
GetProcessWindowStation.USER32 ref: 005512EA
SetProcessWindowStation.USER32(00000000), ref: 005512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00551310

Part of subcall function 005510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005511FC), ref: 005510D4
Part of subcall function 005510BF: CloseHandle.KERNEL32(?,?,005511FC), ref: 005510E9

Strings

winsta0, xrefs: 005512CC
Z[, xrefs: 00551392
, xrefs: 0055125A
default, xrefs: 0055130B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z[
API String ID: 22674027-259235808
Opcode ID: 2c18d5a786a8474c374702b4db63b3f919d43bb0657498fd5f2ac87acc3cfff3
Instruction ID: 360275e3d7ec76c7616555425b1c3f517c71c40eed1c06711303305efabe5c1d
Opcode Fuzzy Hash: 2c18d5a786a8474c374702b4db63b3f919d43bb0657498fd5f2ac87acc3cfff3
Instruction Fuzzy Hash: 70816571900209ABDF209FA8DC59BEE7FB9BF04705F14612AFD10B62A0E7759948DB24

Function 00550B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00551114
Part of subcall function 005510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551120
Part of subcall function 005510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 0055112F
Part of subcall function 005510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551136
Part of subcall function 005510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0055114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00550BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00550C00
GetLengthSid.ADVAPI32(?), ref: 00550C17
GetAce.ADVAPI32(?,00000000,?), ref: 00550C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00550C6D
GetLengthSid.ADVAPI32(?), ref: 00550C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00550C8C
HeapAlloc.KERNEL32(00000000), ref: 00550C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00550CB4
CopySid.ADVAPI32(00000000), ref: 00550CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00550CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00550D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00550D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550D45
HeapFree.KERNEL32(00000000), ref: 00550D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550D55
HeapFree.KERNEL32(00000000), ref: 00550D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550D65
HeapFree.KERNEL32(00000000), ref: 00550D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00550D78
HeapFree.KERNEL32(00000000), ref: 00550D7F

Part of subcall function 00551193: GetProcessHeap.KERNEL32(00000008,00550BB1,?,00000000,?,00550BB1,?), ref: 005511A1
Part of subcall function 00551193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00550BB1,?), ref: 005511A8
Part of subcall function 00551193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00550BB1,?), ref: 005511B7

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2c44276eb4fac266633b55dd2a34adf8fa35e7d0cdae396a28edd838bbb3c58d
Instruction ID: 70c9e8708403bf03fa38cba8f220288fc617fb1fdcced115bb38d29f21cb7547
Opcode Fuzzy Hash: 2c44276eb4fac266633b55dd2a34adf8fa35e7d0cdae396a28edd838bbb3c58d
Instruction Fuzzy Hash: C371577290020AABDF109FE4DC88BEEBFB8BF14341F145516ED14A6291D771AA09DBA0

Function 0056EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0058CC08), ref: 0056EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0056EB37
GetClipboardData.USER32(0000000D), ref: 0056EB43
CloseClipboard.USER32 ref: 0056EB4F
GlobalLock.KERNEL32(00000000), ref: 0056EB87
CloseClipboard.USER32 ref: 0056EB91
GlobalUnlock.KERNEL32(00000000), ref: 0056EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0056EBC9
GetClipboardData.USER32(00000001), ref: 0056EBD1
GlobalLock.KERNEL32(00000000), ref: 0056EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0056EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0056EC38
GetClipboardData.USER32(0000000F), ref: 0056EC44
GlobalLock.KERNEL32(00000000), ref: 0056EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0056EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0056EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0056ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0056ECF3
CountClipboardFormats.USER32 ref: 0056ED14
CloseClipboard.USER32 ref: 0056ED59

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: af8b1245ade00d29506a559efbe5230bc7c1c6554807a8b16f0d834335bec98b
Instruction ID: c9c863b0a1d42e8128807c07a7bd9fd3fca913266d42b9985edf0ac3a1d34a2e
Opcode Fuzzy Hash: af8b1245ade00d29506a559efbe5230bc7c1c6554807a8b16f0d834335bec98b
Instruction Fuzzy Hash: 8D6100382042019FD300EF25D88AF3A7FA4BF94748F14551DF986A72A2DB31DD0ADB62

Function 0056698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005669BE
FindClose.KERNEL32(00000000), ref: 00566A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00566A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00566A75

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00566AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00566ADF

Strings

%03d, xrefs: 00566DA2
%02d, xrefs: 00566C00, 00566C0A, 00566C5A, 00566CAA, 00566CFA, 00566D4A
%4d, xrefs: 00566BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00566B32
%4d%02d%02d%02d%02d%02d, xrefs: 00566B6A

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: a280f6bbd4fb6ef50956ea9a595f2728e32e9f7f14c34e1224abdb148b382ef0
Instruction ID: 50612131807932c9ea45901f6ce7e2af5916cb9e625fbc59b59dd6b9396f9ccf
Opcode Fuzzy Hash: a280f6bbd4fb6ef50956ea9a595f2728e32e9f7f14c34e1224abdb148b382ef0
Instruction Fuzzy Hash: 8DD13D71508344AEC310EBA5C985EBBB7ECBF98704F04491EF685D7191EB78DA44CB62

Function 00569642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00569663
GetFileAttributesW.KERNEL32(?), ref: 005696A1
SetFileAttributesW.KERNEL32(?,?), ref: 005696BB
FindNextFileW.KERNEL32(00000000,?), ref: 005696D3
FindClose.KERNEL32(00000000), ref: 005696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0056974A
SetCurrentDirectoryW.KERNEL32(005B6B7C), ref: 00569768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00569772
FindClose.KERNEL32(00000000), ref: 0056977F
FindClose.KERNEL32(00000000), ref: 0056978F

Strings

*.*, xrefs: 005696F5

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 208f74cdc018d7eeda537fc60075144dfafdaa4470b23e06f6d9dbbfadbd25b6
Instruction ID: 613d1e513d4398a799695c2475fd3ba9b1659701256e6cd2ea3d0d21b45dafe0
Opcode Fuzzy Hash: 208f74cdc018d7eeda537fc60075144dfafdaa4470b23e06f6d9dbbfadbd25b6
Instruction Fuzzy Hash: 1431A4365402196ADF14AFB4DC49AEE7FACFF4A320F104155E916E3090EB34DD848B64

Function 0056979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 005697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00569819
FindClose.KERNEL32(00000000), ref: 00569824
FindFirstFileW.KERNEL32(*.*,?), ref: 00569840
SetCurrentDirectoryW.KERNEL32(?), ref: 00569890
SetCurrentDirectoryW.KERNEL32(005B6B7C), ref: 005698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005698B8
FindClose.KERNEL32(00000000), ref: 005698C5
FindClose.KERNEL32(00000000), ref: 005698D5

Part of subcall function 0055DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0055DB00

Strings

*.*, xrefs: 0056983B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c477027f7297f15f8b07920eebcb0ede236dd4998c0e008ce15b58bffcbc289a
Instruction ID: 30d22dbda37ac4702e7fcd070c359d3ade509e71e17cbb0fddf16270ca085041
Opcode Fuzzy Hash: c477027f7297f15f8b07920eebcb0ede236dd4998c0e008ce15b58bffcbc289a
Instruction Fuzzy Hash: 1B31C33250021AAADB10AFB4EC48ADE7FACBF4A320F104155E951A30D0DB30DD89CB60

Function 0055D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F3A97,?,?,004F2E7F,?,?,?,00000000), ref: 004F3AC2

Part of subcall function 0055E199: GetFileAttributesW.KERNEL32(?,0055CF95), ref: 0055E19A

FindFirstFileW.KERNEL32(?,?), ref: 0055D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0055D1DD
MoveFileW.KERNEL32(?,?), ref: 0055D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0055D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0055D237

Part of subcall function 0055D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0055D21C,?,?), ref: 0055D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0055D253
FindClose.KERNEL32(00000000), ref: 0055D264

Strings

\*.*, xrefs: 0055D0CD, 0055D0D6, 0055D0EB

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 627ea3617556674c51ec23e1f9faf434626e0b987cf7fec819e8fb36037705d2
Instruction ID: e9a382211de712b2799bb90ac18d6f7fa9564648cd5522c20675f4a310246c00
Opcode Fuzzy Hash: 627ea3617556674c51ec23e1f9faf434626e0b987cf7fec819e8fb36037705d2
Instruction Fuzzy Hash: B1619B7280110DAACF15EBE1C9A29FDBBB5BF54345F24406AE90277191EB346F0DDB60

Function 0056ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0056ED91
EmptyClipboard.USER32 ref: 0056ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0056EDAC
CloseClipboard.USER32 ref: 0056EEA3

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 484c88fbfcdd7376e95b253a46c926bf3ef31241ff55a18ceb9b2f26f58d38d7
Instruction ID: d4814f4cc6aa0f270039c8cacc97e42a5bbedbb4bc6f1f5c6f35b846bd635439
Opcode Fuzzy Hash: 484c88fbfcdd7376e95b253a46c926bf3ef31241ff55a18ceb9b2f26f58d38d7
Instruction Fuzzy Hash: 0741BF39205611AFE310CF1AD889B29BFE5FF54318F14C49DE8559B6A2C736EC45CBA0

Function 0055E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0055170D
Part of subcall function 005516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0055173A
Part of subcall function 005516C3: GetLastError.KERNEL32 ref: 0055174A

ExitWindowsEx.USER32(?,00000000), ref: 0055E932

Strings

, xrefs: 0055E95C
SeShutdownPrivilege, xrefs: 0055E902
, xrefs: 0055E920
@, xrefs: 0055E925

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 38d2237c648123ea6380c07b11b3e0034bba17fe3c110107bc8c81ecc0301cce
Instruction ID: 6e02ccffd6f80384badbd461bab4c9313378efcea3054904244ee3a85c3d6a46
Opcode Fuzzy Hash: 38d2237c648123ea6380c07b11b3e0034bba17fe3c110107bc8c81ecc0301cce
Instruction Fuzzy Hash: 10012B72A10211ABEB1826B4ACABFBF7EBCBB14742F140823FC03F21D1D5605D4C82A4

Function 00571204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00571276
WSAGetLastError.WSOCK32 ref: 00571283
bind.WSOCK32(00000000,?,00000010), ref: 005712BA
WSAGetLastError.WSOCK32 ref: 005712C5
closesocket.WSOCK32(00000000), ref: 005712F4
listen.WSOCK32(00000000,00000005), ref: 00571303
WSAGetLastError.WSOCK32 ref: 0057130D
closesocket.WSOCK32(00000000), ref: 0057133C

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: fca77574cad89dc30182c92e372d5ed3016a420c82386edea5f5f50f018e4d26
Instruction ID: c5d9ea76e231cc06d28e788fa0e18bae7de97c418bc0f3ed7cf1eae3ccdcf294
Opcode Fuzzy Hash: fca77574cad89dc30182c92e372d5ed3016a420c82386edea5f5f50f018e4d26
Instruction Fuzzy Hash: EA419E35600500AFD710DF29D488B29BBE6BF46318F18C089E95A9F293C775ED85DBE1

Function 0052B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0052B9D4
_free.LIBCMT ref: 0052B9F8
_free.LIBCMT ref: 0052BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00593700), ref: 0052BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,005C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0052BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,005C1270,000000FF,?,0000003F,00000000,?), ref: 0052BC36
_free.LIBCMT ref: 0052BD4B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 4f91cbddb864d597e4820a6856b3c00d5357c5de5f37ed73cc24890ea7fa9a64
Instruction ID: 21fdf80a80124c7d4f726aaa28ae059ede766fa09ea6fcd5fe418db4ab7733eb
Opcode Fuzzy Hash: 4f91cbddb864d597e4820a6856b3c00d5357c5de5f37ed73cc24890ea7fa9a64
Instruction Fuzzy Hash: 02C15775904226AFEB20DF69A845BAE7FB8FF93310F14459AE490D72D2DB308E41C750

Function 0055D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F3A97,?,?,004F2E7F,?,?,?,00000000), ref: 004F3AC2

Part of subcall function 0055E199: GetFileAttributesW.KERNEL32(?,0055CF95), ref: 0055E19A

FindFirstFileW.KERNEL32(?,?), ref: 0055D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0055D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0055D481
FindClose.KERNEL32(00000000), ref: 0055D498
FindClose.KERNEL32(00000000), ref: 0055D4A1

Strings

\*.*, xrefs: 0055D3F2

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 69fe4d658b9a71738d7a8b47d96ee712f5bcf1b725726ff4d6a087e2898c2c8d
Instruction ID: 6d1b16761b6a5eb6fcac17e8cd2a52b35030be16440ab5b5fe25cdf948142b26
Opcode Fuzzy Hash: 69fe4d658b9a71738d7a8b47d96ee712f5bcf1b725726ff4d6a087e2898c2c8d
Instruction Fuzzy Hash: 8031D0720083459BC710EF65C8518BF7BE8BE91345F444E1EF9D292191EB74AA0DC767

Function 0052E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0052E645

Strings

1#INF, xrefs: 0052F852
1#QNAN, xrefs: 0052F84B
1#SNAN, xrefs: 0052F844
1#IND, xrefs: 0052F83D

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4084081dcb3f9a4074d340d187b5b1dbea475fc33a4300e74d9285b0a1e2bc93
Instruction ID: 0574f376bc33559cc09ba7efaf3c72985f5f3345e9a121b983aa28ee6671ae3e
Opcode Fuzzy Hash: 4084081dcb3f9a4074d340d187b5b1dbea475fc33a4300e74d9285b0a1e2bc93
Instruction Fuzzy Hash: DDC24A72E046298BDB25CE28ED457EABBB5FF46304F1445EAD44DE7280E774AE818F40

Function 0056648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005664DC
CoInitialize.OLE32(00000000), ref: 00566639
CoCreateInstance.OLE32(0058FCF8,00000000,00000001,0058FB68,?), ref: 00566650
CoUninitialize.OLE32 ref: 005668D4

Strings

.lnk, xrefs: 005664BA, 00566524, 005665E0

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d51034a84449a0cdfb68986f508d5e9ff5aa997aed5daa6cbece6eecd8ff0e91
Instruction ID: 9ffdec1bd3aac3a10d7f4459adaa38860b2d8eb9ffe59c6413c08c81d578e163
Opcode Fuzzy Hash: d51034a84449a0cdfb68986f508d5e9ff5aa997aed5daa6cbece6eecd8ff0e91
Instruction Fuzzy Hash: D9D15B715083059FC314EF25C881A6BBBE8FF94708F40495DF5958B291DB74ED09CBA6

Function 005722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005722E8

Part of subcall function 0056E4EC: GetWindowRect.USER32(?,?), ref: 0056E504

GetDesktopWindow.USER32 ref: 00572312
GetWindowRect.USER32(00000000), ref: 00572319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00572355
GetCursorPos.USER32(?), ref: 00572381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005723DF

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 477f10ccaefb0224d5e0d95753b43118f720993409c2da4e824c673910a2ddb8
Instruction ID: 228501f41f8024cb7aabebbf58eb37b14acb1b64d59ed46e96a41f273e9a2b68
Opcode Fuzzy Hash: 477f10ccaefb0224d5e0d95753b43118f720993409c2da4e824c673910a2ddb8
Instruction Fuzzy Hash: 0331CF72505315AFDB20DF14D849E5BBBEAFF84310F004919F989A7281DB34EA08DBA2

Function 00569B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00569B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00569C8B

Part of subcall function 00563874: GetInputState.USER32 ref: 005638CB
Part of subcall function 00563874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00563966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00569BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00569C75

Strings

*.*, xrefs: 00569B5D

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: dedaf5b53d74f65efec9f8e4f6b3547b35e70df0d42cf2b575af7f65c5f62dfe
Instruction ID: 0041019bb69537032638fdd6ef0e0350f21860ee22d33e6bc3b2c5aeacd504af
Opcode Fuzzy Hash: dedaf5b53d74f65efec9f8e4f6b3547b35e70df0d42cf2b575af7f65c5f62dfe
Instruction Fuzzy Hash: 37416D7190420A9FDF54EF64C989AEEBFB8FF45350F24415AE905A3191EB309E84CF64

Function 0050997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00509A4E
GetSysColor.USER32(0000000F), ref: 00509B23
SetBkColor.GDI32(?,00000000), ref: 00509B36

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 77c3f0da21d947b32eb7fdcb0132281faf73f662c650e8f40d4e0c5a136efba6
Instruction ID: a05933772db113d86424fc13b61e01a0e961a1ddc41084cc81caf413ea11210a
Opcode Fuzzy Hash: 77c3f0da21d947b32eb7fdcb0132281faf73f662c650e8f40d4e0c5a136efba6
Instruction Fuzzy Hash: 8EA1F870209848AEE728AA2C8C9DEBF3E9DFBCA354F150509F502D65DBCB259D01D376

Function 00571806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0057304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0057307A
Part of subcall function 0057304E: _wcslen.LIBCMT ref: 0057309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0057185D
WSAGetLastError.WSOCK32 ref: 00571884
bind.WSOCK32(00000000,?,00000010), ref: 005718DB
WSAGetLastError.WSOCK32 ref: 005718E6
closesocket.WSOCK32(00000000), ref: 00571915

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: d28d216abf4c507d295aaf79d43bcb78e6ee688d44bec9f2f194e70b2c55d326
Instruction ID: b8f170ca0c9e89e40aeff75c572b1e10bf6cc9aefd933504ab70a79680a0fae7
Opcode Fuzzy Hash: d28d216abf4c507d295aaf79d43bcb78e6ee688d44bec9f2f194e70b2c55d326
Instruction Fuzzy Hash: 3551C471A00204AFDB10AF24D886F3A7BE5AB45718F04C49DFA0A6F3C3C775AD419BA5

Function 00581C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00581CC0
IsWindowEnabled.USER32 ref: 00581CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00581CDB
IsIconic.USER32 ref: 00581CE9
IsZoomed.USER32 ref: 00581CF7

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 808219bd866d8e3aba9a68c6f19b26756023bc4521380fd7a1be20767668b9b3
Instruction ID: fd525d92ac54a05b724b984a5be2cbd3afe6f4dc72e596eb648ced7b88ab387a
Opcode Fuzzy Hash: 808219bd866d8e3aba9a68c6f19b26756023bc4521380fd7a1be20767668b9b3
Instruction Fuzzy Hash: 1921B131740A015FD720AF2AC884B2A7FA9FF95314F188068EC46EB351CB71DC42CBA8

Function 004F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00535DF0
VUUU, xrefs: 004F83FA
VUUU, xrefs: 004F83E8
VUUU, xrefs: 004F843C
ERCP, xrefs: 004F813C

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1e2c7f89e1180f2c89e92ad5b1c9f51e92e86345f9554e1e33f0b69fe467bd10
Instruction ID: ac936fad0e8b8bf15de6b3cff76a12022a8b914b6615cfc1e76f3f01fe161ac5
Opcode Fuzzy Hash: 1e2c7f89e1180f2c89e92ad5b1c9f51e92e86345f9554e1e33f0b69fe467bd10
Instruction Fuzzy Hash: F5A28C70E0061ECBDF24CF58C9407BEBBB1BB54314F2485AEE915AB285EB349D81CB95

Function 00558298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005582AA

Strings

(, xrefs: 005582F0
tb[, xrefs: 005584F4
|, xrefs: 005582DA

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb[$|
API String ID: 1659193697-2831977410
Opcode ID: f947ea7bfddd516aee181b4ac3cfce86d9c267433f8574c7afd103b940e06369
Instruction ID: 35cbe7622ff111772426a916dcb47a00c21db72afd178bd125b95788ad4231f2
Opcode Fuzzy Hash: f947ea7bfddd516aee181b4ac3cfce86d9c267433f8574c7afd103b940e06369
Instruction Fuzzy Hash: A7322A75A00605DFCB28CF59C49196ABBF0FF48710B15C96EE85AEB7A1DB70E941CB40

Function 0055AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0055AAAC
SetKeyboardState.USER32(00000080), ref: 0055AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0055AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0055AB88

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2b6efa61e68f316ac4881997434c16182a34bb66f8bb0e745bd9be57ab8e1eb3
Instruction ID: f11efe58849c043f9ff2549e3ea12e83e698c198ab66e589a4d1986dc5116fd8
Opcode Fuzzy Hash: 2b6efa61e68f316ac4881997434c16182a34bb66f8bb0e745bd9be57ab8e1eb3
Instruction Fuzzy Hash: 74310930A40248AEFF358A69CC25BFA7FA6BB44322F04431BF981561D1D7758989D7A2

Function 0056CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0056CE89
GetLastError.KERNEL32(?,00000000), ref: 0056CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0056CEFE

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 964e0d7953fc529c02c0d091e5e06e4399ff7814b0f754a57ab76e714c18cf2e
Instruction ID: 94441f6e2ad5bce96739c092cc27db213b8da93442dbeb8ea40098b041f27417
Opcode Fuzzy Hash: 964e0d7953fc529c02c0d091e5e06e4399ff7814b0f754a57ab76e714c18cf2e
Instruction Fuzzy Hash: 8821AC716003059BEB219F65C988BAABFFCFB50314F10481EEA86E3151E771EE48DB60

Function 00522622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0052271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00522724
UnhandledExceptionFilter.KERNEL32(?), ref: 00522731

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5f3ac67ac2b16c96ce179e3cf6e504181ac2920374eb19d071f34c50285c3449
Instruction ID: 125cdfa55fdf15b27a3427c83d977b2fe0c65d7f3bd10716ddb1ea9962d295ee
Opcode Fuzzy Hash: 5f3ac67ac2b16c96ce179e3cf6e504181ac2920374eb19d071f34c50285c3449
Instruction Fuzzy Hash: 6A31C574901229ABCB21DF64D8887DDBBB8BF18310F5051DAE81CA62A0E7709F858F44

Function 005651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00565238
SetErrorMode.KERNEL32(00000000), ref: 005652A1

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e309d0ea7dfd5c13e8506a15fadc3f6279af5754b39747c3eb305357565383b9
Instruction ID: 7e37c8c16acd6de7e500b7ec722c9edb433b00313034b074a5b3e69adb1140c5
Opcode Fuzzy Hash: e309d0ea7dfd5c13e8506a15fadc3f6279af5754b39747c3eb305357565383b9
Instruction Fuzzy Hash: 82315075A00518DFDB00DF55D8D4EADBBB4FF48318F048099E905AB392DB35E859CB61

Function 005516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0050FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00510668
Part of subcall function 0050FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00510685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0055170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0055173A
GetLastError.KERNEL32 ref: 0055174A

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 0bd8c97dac0b973c97f74b851b1177e549340b2ea50df835c112f7f31a7b4a14
Instruction ID: 38c410f6f81f2aa1b49683e34f2d4a5bff4286268f26ea03598439b8eb367895
Opcode Fuzzy Hash: 0bd8c97dac0b973c97f74b851b1177e549340b2ea50df835c112f7f31a7b4a14
Instruction Fuzzy Hash: 801131B2400305AFD3289F64EC8AE6FBFB9FB44710B20842EE45253281EB30BC458B20

Function 0055D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0055D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0055D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0055D650

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 8c67e1cc18d603d35a88a3ba19ba89c4e18345e9b5e9af52980658b288041a7c
Instruction ID: 2d179b7523f86470893b6af9c15fd193750051987ab0fe92abccd16544b5097f
Opcode Fuzzy Hash: 8c67e1cc18d603d35a88a3ba19ba89c4e18345e9b5e9af52980658b288041a7c
Instruction Fuzzy Hash: 3D113C76E05228BBDB208F959C45FAFBFBCEB45B50F108156FD04E7290D6704A059BA1

Function 00551663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0055168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005516A1
FreeSid.ADVAPI32(?), ref: 005516B1

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8ab25ee6d9d8e3331b2f79199d1ed7624a7957b660d72f7c42a42353895ea2fd
Instruction ID: 727d2a06b86daeb6e9894869cd07f53470f43b996da0c9e1405862433dffa455
Opcode Fuzzy Hash: 8ab25ee6d9d8e3331b2f79199d1ed7624a7957b660d72f7c42a42353895ea2fd
Instruction Fuzzy Hash: E3F04471940308FBDB00CFE09C89EAEBBBCFB08240F104461E900E2180E330AA089B60

Function 0052C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0052C36C

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: ce5b786f710ea7ad457616aff60c39b0ef00c06a92425241d512d4da407c4b41
Instruction ID: 1468d3c04bcc6ccddc08f6b6d99d1fd7c4afc0010617c60efb8ff144956c4cff
Opcode Fuzzy Hash: ce5b786f710ea7ad457616aff60c39b0ef00c06a92425241d512d4da407c4b41
Instruction Fuzzy Hash: 4C411476500229ABCB20DFB9EC88EAF7F78FF85314F104A69F905971C1E6709D818B50

Function 0051CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d28e11acbf6a6ba890ff45c684f0cbf64fa0f452e25c032f6bddcc69b4285617
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 8B020B71E402199BDF14CFA9D8806EDBFB5FF88314F254669D819EB280D731AD418B94

Function 004FCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#\, xrefs: 004FCF7F
Variable is not of type 'Object'., xrefs: 00540C40

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#\
API String ID: 0-856599282
Opcode ID: 79382e8e530138cd3ca0a9e3c5b49e39135c1b3ebb7ed2452b036e6e6e533c20
Instruction ID: 3d664b15d03af2ef92e4330cd6ad0f41ace81a038a63c644cd840db5610adc31
Opcode Fuzzy Hash: 79382e8e530138cd3ca0a9e3c5b49e39135c1b3ebb7ed2452b036e6e6e533c20
Instruction Fuzzy Hash: C1328E7090021DDBCF14DF90CA85AFDBBB5FF04308F24405AEA06AB291D779AD46DB65

Function 005668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00566918
FindClose.KERNEL32(00000000), ref: 00566961

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: b5ba9897e04eca03d5d8c67e5864720aee34e83e5e7e71bd3463d2900358b59c
Instruction ID: d04006ffa955d88646f53acea96fad26b4318185fe53f47fdb791e71216f6588
Opcode Fuzzy Hash: b5ba9897e04eca03d5d8c67e5864720aee34e83e5e7e71bd3463d2900358b59c
Instruction Fuzzy Hash: BB11D0356042059FC710CF2AC484A26BBE4FF84328F04C69DE86A8F6A2C734EC05CBA1

Function 005637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00574891,?,?,00000035,?), ref: 005637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00574891,?,?,00000035,?), ref: 005637F4

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0c06586144cf02a6ca6c2470894920019960929cb84e000bcd73ae60bc22e202
Instruction ID: 5bdfa9813a393db18d84b447858abe6a9a68c48e9da2f6468916b3cc93045b5e
Opcode Fuzzy Hash: 0c06586144cf02a6ca6c2470894920019960929cb84e000bcd73ae60bc22e202
Instruction Fuzzy Hash: 4CF0E5B06042292AE72057769C4DFEB3FAEEFC4761F000165F509E3281DA709E08C7B0

Function 0055B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0055B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0055B270

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: bcc8506a8a4ccb3dc3f26727125661cd1c5ef227069a129c513e0596c7113bed
Instruction ID: 50f38cbf51f235315015f8e156a5564a5b6091a781f32c4676aad6c3ec31151d
Opcode Fuzzy Hash: bcc8506a8a4ccb3dc3f26727125661cd1c5ef227069a129c513e0596c7113bed
Instruction Fuzzy Hash: 19F01D7580424DABEF059FA0C805BAE7FB4FF04305F00940AFD55A5191C77986159FA4

Function 005510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005511FC), ref: 005510D4
CloseHandle.KERNEL32(?,?,005511FC), ref: 005510E9

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c34dc233a8ce5c67dd6a24790628b5ea54538ee04f72ca68f2f5210343b659fa
Instruction ID: 55fca517204bcf1f3de473feca441caba76fec49d35610c263f1837d4a4d4afa
Opcode Fuzzy Hash: c34dc233a8ce5c67dd6a24790628b5ea54538ee04f72ca68f2f5210343b659fa
Instruction Fuzzy Hash: 5DE04F32004601EFE7252B61FC09E777FA9FB04310B24882EF8A5804F1DB72AC90EB64

Function 0052676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00526766,?,?,00000008,?,?,0052FEFE,00000000), ref: 00526998

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5735c6b8d07b6dc01538a03640ff1eb5a94e6f746db688e65fa4fc5607ad1419
Instruction ID: 5e9b2390d32cc2002737ff259914b2f4fdd46ecefee6b4216d1c47e29c98a005
Opcode Fuzzy Hash: 5735c6b8d07b6dc01538a03640ff1eb5a94e6f746db688e65fa4fc5607ad1419
Instruction Fuzzy Hash: 6FB126326106189FD719CF28D48AB657FE0FF46364F298658E899CB2E2C735E981CB40

Function 0050B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0054851F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fb3ec338bd9b58d09fe2003b3b097d9243b8fa7a911041642adf778958b8b957
Instruction ID: 7810d02313d0877da75020a16ce36474b6257511fc46d7705d388408585b7a72
Opcode Fuzzy Hash: fb3ec338bd9b58d09fe2003b3b097d9243b8fa7a911041642adf778958b8b957
Instruction Fuzzy Hash: 7F124F759002299BDF24CF58C8806FEBBF5FF48714F14859AE849EB295DB349E81CB90

Function 0056EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0056EABD

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 95ac85ba448378a2fc3bcf5329e4bdf3d51fcbf8c6c5303ac0cfaedc685ce9ae
Instruction ID: 1df2e6c93890ce5c2c3f000b5c768f8e59c853b898c8a57e9afcb58b9e0010da
Opcode Fuzzy Hash: 95ac85ba448378a2fc3bcf5329e4bdf3d51fcbf8c6c5303ac0cfaedc685ce9ae
Instruction Fuzzy Hash: CCE048352002049FC710DF9AD445D5AFBD9FF59764F00841AFD45D7351D774E8408BA1

Function 005109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005103EE), ref: 005109DA

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 106a2db3b86a3cf661ecdbee02ab460a9eb2dd11395c310717ebe81f5c1cb449
Instruction ID: 306917d2c7110a2784015172e7b02c8ce4bf165e56e6fea7fd828cf5a91b763e
Opcode Fuzzy Hash: 106a2db3b86a3cf661ecdbee02ab460a9eb2dd11395c310717ebe81f5c1cb449
Instruction Fuzzy Hash:

Function 0051781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0051798B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 086e08a61e4b734b7ddf22edbc55a9a81b4bd125a9a8e96bd5a0e2bcef22e142
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 6751686160C60E7BFB38552C885D7FE2FB9BB5E340F180909E882D7282C615DECAD356

Function 00562046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&\, xrefs: 00562053

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: 0&\
API String ID: 0-2049548921
Opcode ID: 50e7a0dc6b188c77bd6cf3dbf9a064542e235aed4876f65ffbf7b66307dda6c5
Instruction ID: a80ca7d95e4c498576f3a3afff1382395d4e7093bac71858b085d65ea63e959c
Opcode Fuzzy Hash: 50e7a0dc6b188c77bd6cf3dbf9a064542e235aed4876f65ffbf7b66307dda6c5
Instruction Fuzzy Hash: 7A21D8322209158BD728CF79C81767A77E5B764320F14862EE4A7C33D0DE35A944D750

Function 00526DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fceacffc98bd44506886070a8b3e3812551ab4eae7fd5e0390d91affe98c49
Instruction ID: c24fe40d2ef066d89852fc5342de15b3f80cecda8de7b0818145755a714afa4f
Opcode Fuzzy Hash: f6fceacffc98bd44506886070a8b3e3812551ab4eae7fd5e0390d91affe98c49
Instruction Fuzzy Hash: 99324531D29F154ED7239634D862335AA8CBFBB3C5F15C737E81AB59A6EB28C4835140

Function 0050CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ee2720cb9d1c3b8caf3bd3f366d662a3e7e6b045d97cd9a2c7ad2bb41e3f99
Instruction ID: 7c0fa8a816b4cef4998cb3d260f7980fed130c66be24be43f202af6daf81673a
Opcode Fuzzy Hash: 86ee2720cb9d1c3b8caf3bd3f366d662a3e7e6b045d97cd9a2c7ad2bb41e3f99
Instruction Fuzzy Hash: 04321531A011558BDF68CF29C4D46FD7FA1FBC6308F29866AD46A9B6D2D230DD81DB40

Function 004F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec42a9deb94d4e27664750bfd8b9d20b4b5adb689918732c60685bccf9c2d73
Instruction ID: 5e8ec002c85887839be9a644e5f343fea2dd7cbb36618b0e50ad0e58eb10d5e5
Opcode Fuzzy Hash: 8ec42a9deb94d4e27664750bfd8b9d20b4b5adb689918732c60685bccf9c2d73
Instruction Fuzzy Hash: 6822D3B0A0060ADFDF14CF65C841ABEBBF6FF44304F10462AE816A7291EB39AD55CB55

Function 004F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49be9d8d469fc1cd92fa82025c8e0f990eaf7a11b2b6a29367a6f94abad09dfc
Instruction ID: 3cec12e546cd06e830e659d8162d3a7eaa08ff90066870eb0a12f69d98e21e4d
Opcode Fuzzy Hash: 49be9d8d469fc1cd92fa82025c8e0f990eaf7a11b2b6a29367a6f94abad09dfc
Instruction Fuzzy Hash: 7302F7B0E0010AEBDF04DF54D886AAEBBF5FF44300F118569E9069B2D1EB35AE51CB95

Function 00511C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 9c0d328e2d3c23ffa0935ee8ce228ebce553c421d0f0b2e6254ed0164b5e923c
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: D49189722084A34AFB29467E95740BEFFE17A923A131A0BDDD5F2CA1C1FE14C9D4D624

Function 005119B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a360573c14f9f5609691cfb49f52d29809ea8dd2fe21bd6448a8ffe05aa1b668
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C791767220D8A34AFB2D427A85740BDFFE16A923A171A0BDDD5F2CA1C1FE14C9D4D624

Function 00517A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8186835c186e524b2de7bef5876e9fed50f5aafe3f71712f2140876f46cc0b13
Instruction ID: 125c189becc9b84b9963ddf37d3ab6187d50b6cc3f5a574eef4ddbe4b5ce3110
Opcode Fuzzy Hash: 8186835c186e524b2de7bef5876e9fed50f5aafe3f71712f2140876f46cc0b13
Instruction Fuzzy Hash: BD61276160C70E56FA34992C8899BFE6FB5FF8D704F240D19E842DB281EB119EC2C355

Function 00511706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 30a39975a915a35087dbf166de175157a04e1a465eaa1a2155836e99b125ac48
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: B38186326094A309FB6D423E85744BEFFE17A923A131A47DDD5F2CB1C1EE24C994D624

Function 00572ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00572B30
DeleteObject.GDI32(00000000), ref: 00572B43
DestroyWindow.USER32 ref: 00572B52
GetDesktopWindow.USER32 ref: 00572B6D
GetWindowRect.USER32(00000000), ref: 00572B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00572CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00572CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572CF8
GetClientRect.USER32(00000000,?), ref: 00572D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00572D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572D80
GlobalLock.KERNEL32(00000000), ref: 00572D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572D98
GlobalUnlock.KERNEL32(00000000), ref: 00572DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572DA8
GlobalFree.KERNEL32(00000000), ref: 00572DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0058FC38,00000000), ref: 00572DDB
GlobalFree.KERNEL32(00000000), ref: 00572DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00572E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00572E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0057303F

Strings

static, xrefs: 00572D3A, 00572E91
AutoIt v3, xrefs: 00572CF2
DISPLAY, xrefs: 00572EA2
, xrefs: 00572FC5

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 725c5e7fb5d8c8846d38c545ff46ba9a3112a0ab2061161f09de8a0c6730631b
Instruction ID: bbfe4691f67fae53626a7bcbc6aa04da8d6b7563fb061073c1092ef81b999eb9
Opcode Fuzzy Hash: 725c5e7fb5d8c8846d38c545ff46ba9a3112a0ab2061161f09de8a0c6730631b
Instruction Fuzzy Hash: 42028971900208AFDB14DF64DC89EAE7FB9FB49714F008519F919AB2A1DB74ED04DB60

Function 005870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0058712F
GetSysColorBrush.USER32(0000000F), ref: 00587160
GetSysColor.USER32(0000000F), ref: 0058716C
SetBkColor.GDI32(?,000000FF), ref: 00587186
SelectObject.GDI32(?,?), ref: 00587195
InflateRect.USER32(?,000000FF,000000FF), ref: 005871C0
GetSysColor.USER32(00000010), ref: 005871C8
CreateSolidBrush.GDI32(00000000), ref: 005871CF
FrameRect.USER32(?,?,00000000), ref: 005871DE
DeleteObject.GDI32(00000000), ref: 005871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00587230
FillRect.USER32(?,?,?), ref: 00587262
GetWindowLongW.USER32(?,000000F0), ref: 00587284

Part of subcall function 005873E8: GetSysColor.USER32(00000012), ref: 00587421
Part of subcall function 005873E8: SetTextColor.GDI32(?,?), ref: 00587425
Part of subcall function 005873E8: GetSysColorBrush.USER32(0000000F), ref: 0058743B
Part of subcall function 005873E8: GetSysColor.USER32(0000000F), ref: 00587446
Part of subcall function 005873E8: GetSysColor.USER32(00000011), ref: 00587463
Part of subcall function 005873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00587471
Part of subcall function 005873E8: SelectObject.GDI32(?,00000000), ref: 00587482
Part of subcall function 005873E8: SetBkColor.GDI32(?,00000000), ref: 0058748B
Part of subcall function 005873E8: SelectObject.GDI32(?,?), ref: 00587498
Part of subcall function 005873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005874B7
Part of subcall function 005873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005874CE
Part of subcall function 005873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005874DB

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 0bcb9248d1a75888eaa25f2aca5e6d4db394f302805b726acc32b79776c2e47b
Instruction ID: 1494d040624d8fd7d4d17102c9ffa35ea2dc20279e087291377b247b6adce027
Opcode Fuzzy Hash: 0bcb9248d1a75888eaa25f2aca5e6d4db394f302805b726acc32b79776c2e47b
Instruction Fuzzy Hash: 58A1A172008305AFDB00AF64DC48E5B7FA9FF99320F201A19FD62A61E1D731E948DB61

Function 00508D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00508E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00546AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00546AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00546F43

Part of subcall function 00508F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00508BE8,?,00000000,?,?,?,?,00508BBA,00000000,?), ref: 00508FC5

SendMessageW.USER32(?,00001053), ref: 00546F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00546F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00546FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00546FB7

Strings

0, xrefs: 00546DCF

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 2990dc3628944cd732639bc4e6ec3951574d36625858f432fbb2bac03365af6b
Instruction ID: 59e643af14b9b19bb9fa590f839974e9668460f12cd6cdaa446591eba5309df9
Opcode Fuzzy Hash: 2990dc3628944cd732639bc4e6ec3951574d36625858f432fbb2bac03365af6b
Instruction Fuzzy Hash: D7129B30600601EFDB25CF14C888FBABFE9FB56304F184469E5859B2A2CB31EC55EB52

Function 00572711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0057273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0057286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00572900
GetClientRect.USER32(00000000,?), ref: 0057290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00572955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00572964
GetStockObject.GDI32(00000011), ref: 00572974
SelectObject.GDI32(00000000,00000000), ref: 00572978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00572988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00572991
DeleteDC.GDI32(00000000), ref: 0057299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00572A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00572A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00572A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00572A77
GetStockObject.GDI32(00000011), ref: 00572A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00572A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00572A97

Strings

static, xrefs: 0057294F, 00572A71
AutoIt v3, xrefs: 005728F8
DISPLAY, xrefs: 0057295A
msctls_progress32, xrefs: 00572A13

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: bccc4ccaabc2d908c4cf877bfba649baf06854a3009f480614dd3f36e4a7d6b8
Instruction ID: c96318fbd0913d8fa37d4068fc28239dcc34f8655c0a166698e7b3553500aad0
Opcode Fuzzy Hash: bccc4ccaabc2d908c4cf877bfba649baf06854a3009f480614dd3f36e4a7d6b8
Instruction Fuzzy Hash: 53B1AB71A00609AFEB14CF68DC89EAE7BB9FB08714F008519FA14E7291D774ED04DBA4

Function 00564ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00564AED
GetDriveTypeW.KERNEL32(?,0058CB68,?,\\.\,0058CC08), ref: 00564BCA
SetErrorMode.KERNEL32(00000000,0058CB68,?,\\.\,0058CC08), ref: 00564D36

Strings

Removable, xrefs: 00564C10, 00564C15
FileBackedVirtual, xrefs: 00564CEC
MMC, xrefs: 00564CDE
Fibre, xrefs: 00564CAD
RAMDisk, xrefs: 00564BF4
USB, xrefs: 00564CB4
Fixed, xrefs: 00564C09
SSD, xrefs: 00564C4A
ATAPI, xrefs: 00564C91
RAID, xrefs: 00564CBB
PhysicalDrive, xrefs: 00564B76
\\.\, xrefs: 00564B3F
SAS, xrefs: 00564CC9
SSA, xrefs: 00564CA6
Unknown, xrefs: 00564BED, 00564C83
iSCSI, xrefs: 00564CC2
SCSI, xrefs: 00564C8A
SATA, xrefs: 00564CD0
Virtual, xrefs: 00564CE5
ATA, xrefs: 00564C98
CDROM, xrefs: 00564BFB
1394, xrefs: 00564C9F
Network, xrefs: 00564C02

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 082f012865c9b68ca34aed70357c9b324d2bb8658d3b728d91bc82c5ac9bbcdf
Instruction ID: abdd9e493615c8b156ab474982c61aa77b225ac8f769d5e59f4e09800ef7c190
Opcode Fuzzy Hash: 082f012865c9b68ca34aed70357c9b324d2bb8658d3b728d91bc82c5ac9bbcdf
Instruction Fuzzy Hash: 9561BF7170520A9FDB14DF28CA829B97FB0BF44344B24881AF806AB791DB3AED41DF51

Function 005873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00587421
SetTextColor.GDI32(?,?), ref: 00587425
GetSysColorBrush.USER32(0000000F), ref: 0058743B
GetSysColor.USER32(0000000F), ref: 00587446
CreateSolidBrush.GDI32(?), ref: 0058744B
GetSysColor.USER32(00000011), ref: 00587463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00587471
SelectObject.GDI32(?,00000000), ref: 00587482
SetBkColor.GDI32(?,00000000), ref: 0058748B
SelectObject.GDI32(?,?), ref: 00587498
InflateRect.USER32(?,000000FF,000000FF), ref: 005874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0058752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00587554
InflateRect.USER32(?,000000FD,000000FD), ref: 00587572
DrawFocusRect.USER32(?,?), ref: 0058757D
GetSysColor.USER32(00000011), ref: 0058758E
SetTextColor.GDI32(?,00000000), ref: 00587596
DrawTextW.USER32(?,005870F5,000000FF,?,00000000), ref: 005875A8
SelectObject.GDI32(?,?), ref: 005875BF
DeleteObject.GDI32(?), ref: 005875CA
SelectObject.GDI32(?,?), ref: 005875D0
DeleteObject.GDI32(?), ref: 005875D5
SetTextColor.GDI32(?,?), ref: 005875DB
SetBkColor.GDI32(?,?), ref: 005875E5

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d1dd213fc631db989645d76c95a7011aebb0aaf104e8e53e948668e028c19e70
Instruction ID: b635b8c66577df2e196505c068f638275697f09e310577eb4aff8e614c734e25
Opcode Fuzzy Hash: d1dd213fc631db989645d76c95a7011aebb0aaf104e8e53e948668e028c19e70
Instruction Fuzzy Hash: A0615D72900218AFDF01AFA4DC49EAE7FB9FB08320F215515FD15BB2A1D7749940DBA0

Function 00580FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00581128
GetDesktopWindow.USER32 ref: 0058113D
GetWindowRect.USER32(00000000), ref: 00581144
GetWindowLongW.USER32(?,000000F0), ref: 00581199
DestroyWindow.USER32(?), ref: 005811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0058120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0058121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00581232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00581245
IsWindowVisible.USER32(00000000), ref: 005812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005812D0
GetWindowRect.USER32(00000000,?), ref: 005812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0058130E
GetMonitorInfoW.USER32(00000000,?), ref: 00581328
CopyRect.USER32(?,?), ref: 0058133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005813AA

Strings

0, xrefs: 005810D3
(, xrefs: 0058131B
tooltips_class32, xrefs: 005811E6

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 58c2ab1fc626194ab36d0b04000afd8c8a1df2da4e4b80165153ad61eed0dfdb
Instruction ID: f4507934843dcfdd9400fe17f2d55cae5e0ccc6125893996c40aeae0caf64900
Opcode Fuzzy Hash: 58c2ab1fc626194ab36d0b04000afd8c8a1df2da4e4b80165153ad61eed0dfdb
Instruction Fuzzy Hash: E7B18F71604741AFD700DF65C888B6ABFE8FF84354F00891DF99AAB261DB31E845CBA5

Function 00580241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005802E5
_wcslen.LIBCMT ref: 0058031F
_wcslen.LIBCMT ref: 00580389
_wcslen.LIBCMT ref: 005803F1
_wcslen.LIBCMT ref: 00580475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005804C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00580504

Part of subcall function 0050F9F2: _wcslen.LIBCMT ref: 0050F9FD

Part of subcall function 0055223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00552258
Part of subcall function 0055223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0055228A

Strings

SELECTINVERT, xrefs: 0058057E
GETSELECTED, xrefs: 005805E1
SELECTALL, xrefs: 00580515
GETSUBITEMCOUNT, xrefs: 00580384, 0058039F
GETSELECTEDCOUNT, xrefs: 00580470, 0058048B
VIEWCHANGE, xrefs: 00580675
FINDITEM, xrefs: 00580627
GETTEXT, xrefs: 005803EC, 00580407
SELECTCLEAR, xrefs: 0058052D
DESELECT, xrefs: 0058059C
GETITEMCOUNT, xrefs: 00580316, 00580337
SELECT, xrefs: 00580548
ISSELECTED, xrefs: 005804DD

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 5fd080525d0c3fadb134f19d87d40cebf4b0af2879ea46f561e70a0c22fb0646
Instruction ID: 7bafc90c196e7423504a117b36408cd9710611ddd8b73524445f07f8c1ead7a3
Opcode Fuzzy Hash: 5fd080525d0c3fadb134f19d87d40cebf4b0af2879ea46f561e70a0c22fb0646
Instruction Fuzzy Hash: CEE1BD312082059FCB54EF25C45183ABBE2BFC8358B14596DFC96AB2E1DB34ED49CB91

Function 00508891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00508968
GetSystemMetrics.USER32(00000007), ref: 00508970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0050899B
GetSystemMetrics.USER32(00000008), ref: 005089A3
GetSystemMetrics.USER32(00000004), ref: 005089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00508A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00508A3C
GetClientRect.USER32(00000000,000000FF), ref: 00508A5A
GetStockObject.GDI32(00000011), ref: 00508A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00508A81

Part of subcall function 0050912D: GetCursorPos.USER32(?), ref: 00509141
Part of subcall function 0050912D: ScreenToClient.USER32(00000000,?), ref: 0050915E
Part of subcall function 0050912D: GetAsyncKeyState.USER32(00000001), ref: 00509183
Part of subcall function 0050912D: GetAsyncKeyState.USER32(00000002), ref: 0050919D

SetTimer.USER32(00000000,00000000,00000028,005090FC), ref: 00508AA8

Strings

AutoIt v3 GUI, xrefs: 00508A20

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 13fd811e8c9d6bb989c059b4c76472d709e99b95e08ffca2a823750104550b1a
Instruction ID: 578b379737658c818a38a3891e20c6e24ce9840c99875cfdfc772fb2456fb907
Opcode Fuzzy Hash: 13fd811e8c9d6bb989c059b4c76472d709e99b95e08ffca2a823750104550b1a
Instruction Fuzzy Hash: 5CB16871A0020A9FDF14DFA8CC49FAE3FA5FB49314F104629FA15A7290DB74E840DB65

Function 00550D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00551114
Part of subcall function 005510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551120
Part of subcall function 005510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 0055112F
Part of subcall function 005510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551136
Part of subcall function 005510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0055114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00550DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00550E29
GetLengthSid.ADVAPI32(?), ref: 00550E40
GetAce.ADVAPI32(?,00000000,?), ref: 00550E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00550E96
GetLengthSid.ADVAPI32(?), ref: 00550EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00550EB5
HeapAlloc.KERNEL32(00000000), ref: 00550EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00550EDD
CopySid.ADVAPI32(00000000), ref: 00550EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00550F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00550F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00550F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550F6E
HeapFree.KERNEL32(00000000), ref: 00550F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550F7E
HeapFree.KERNEL32(00000000), ref: 00550F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550F8E
HeapFree.KERNEL32(00000000), ref: 00550F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00550FA1
HeapFree.KERNEL32(00000000), ref: 00550FA8

Part of subcall function 00551193: GetProcessHeap.KERNEL32(00000008,00550BB1,?,00000000,?,00550BB1,?), ref: 005511A1
Part of subcall function 00551193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00550BB1,?), ref: 005511A8
Part of subcall function 00551193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00550BB1,?), ref: 005511B7

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5b75120dbce42a3f9311cb501d3cfeedefc3d704784644980b58e8985d887d96
Instruction ID: e8b3512bf88941d0e66f2c0694e97605ff2cfbbee53337223d64fe05573d9cef
Opcode Fuzzy Hash: 5b75120dbce42a3f9311cb501d3cfeedefc3d704784644980b58e8985d887d96
Instruction Fuzzy Hash: DC71487290020AEBDB209FA4DC89BAEBFB8BF14342F145116ED19B6191D7319A09CB70

Function 0057C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0058CC08,00000000,?,00000000,?,?), ref: 0057C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0057C5A4
_wcslen.LIBCMT ref: 0057C5F4
_wcslen.LIBCMT ref: 0057C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0057C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0057C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0057C84D
RegCloseKey.ADVAPI32(?), ref: 0057C881
RegCloseKey.ADVAPI32(00000000), ref: 0057C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0057C960

Strings

REG_BINARY, xrefs: 0057C913
REG_MULTI_SZ, xrefs: 0057C6F5
REG_DWORD, xrefs: 0057C804
REG_EXPAND_SZ, xrefs: 0057C5CD
REG_SZ, xrefs: 0057C644
REG_QWORD, xrefs: 0057C8C3

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 4d4816945cc5a45bdef5e3702baab0015fbdd8f1c91dcfaaaa145bab99e1e548
Instruction ID: 639884e61fdb83abf5ab008975249f0d9fdec3260f4efcfd6322ab869e41607f
Opcode Fuzzy Hash: 4d4816945cc5a45bdef5e3702baab0015fbdd8f1c91dcfaaaa145bab99e1e548
Instruction Fuzzy Hash: 18127831204201AFDB14DF15D885A2ABBE5FF88358F04885DF98A9B3A2DB35FC45DB85

Function 0058091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005809C6
_wcslen.LIBCMT ref: 00580A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00580A54
_wcslen.LIBCMT ref: 00580A8A
_wcslen.LIBCMT ref: 00580B06
_wcslen.LIBCMT ref: 00580B81

Part of subcall function 0050F9F2: _wcslen.LIBCMT ref: 0050F9FD

Part of subcall function 00552BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00552BFA

Strings

GETTOTALCOUNT, xrefs: 005809F2, 00580A17
EXISTS, xrefs: 00580B7C, 00580B97
GETSELECTED, xrefs: 00580C4E
GETTEXT, xrefs: 00580C97
EXPAND, xrefs: 00580BF8
GETITEMCOUNT, xrefs: 00580C1E
SELECT, xrefs: 00580D11
COLLAPSE, xrefs: 00580B01, 00580B1C
UNCHECK, xrefs: 00580D3E
CHECK, xrefs: 00580A85, 00580AA0
ISCHECKED, xrefs: 00580CE1

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: be35b8f69c470c4394506eff390201a59faf313140a224d5b60e22fd2bfe4142
Instruction ID: d8c13c359d4ea6e2df8c9fad8b33dc3f0fb82d427809855e3bae1af2811dd4d9
Opcode Fuzzy Hash: be35b8f69c470c4394506eff390201a59faf313140a224d5b60e22fd2bfe4142
Instruction Fuzzy Hash: 55E1AA312083029FC754EF25C45196EBBE1BF98358F14995DF896AB3A2DB30ED49CB81

Function 0057C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
_wcslen.LIBCMT ref: 0057C9F1
_wcslen.LIBCMT ref: 0057CA68
_wcslen.LIBCMT ref: 0057CA9E
_wcslen.LIBCMT ref: 0057CAF9
_wcslen.LIBCMT ref: 0057CB2F
_wcslen.LIBCMT ref: 0057CB7F

Strings

HKCU, xrefs: 0057CBCE
HKCC, xrefs: 0057CBAC
HKEY_CURRENT_USER, xrefs: 0057CBBD
HKEY_LOCAL_MACHINE, xrefs: 0057CA62, 0057CA67
HKEY_CURRENT_CONFIG, xrefs: 0057CB79, 0057CB7E
HKU, xrefs: 0057CBF0
HKEY_USERS, xrefs: 0057CBDF
HKLM, xrefs: 0057CA98, 0057CA9D
HKEY_CLASSES_ROOT, xrefs: 0057CAF3, 0057CAF8
HKCR, xrefs: 0057CB29, 0057CB2E

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 0b4d25b5260cd80bb013cbf4fca16dbf60fbdab22656f487c73623598bfd0972
Instruction ID: 795f0919b22fdc69ce3c4e789ffbd221f5bd39084191ee1705772777b873e531
Opcode Fuzzy Hash: 0b4d25b5260cd80bb013cbf4fca16dbf60fbdab22656f487c73623598bfd0972
Instruction Fuzzy Hash: E671173261012B8BCB20DE7CE8415FE3F95BBA4754B65852CF86E97284EA30DD84E390

Function 0058833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0058835A
_wcslen.LIBCMT ref: 0058836E
_wcslen.LIBCMT ref: 00588391
_wcslen.LIBCMT ref: 005883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00585BF2), ref: 0058844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00588487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00588501
FreeLibrary.KERNEL32(?), ref: 0058850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0058851D
DestroyIcon.USER32(?,?,?,?,?,00585BF2), ref: 0058852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00588549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00588555

Strings

.exe, xrefs: 00588388
.icl, xrefs: 00588368
.dll, xrefs: 005883AB

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a7d777b8b2838e2c4e84804e4718e2ddfa1b4eeedf77f78294f161f9b845c951
Instruction ID: 1f83270afc5b31c5a40ea970c767637fbd0355f559ebdd6601eb09f8d93dc174
Opcode Fuzzy Hash: a7d777b8b2838e2c4e84804e4718e2ddfa1b4eeedf77f78294f161f9b845c951
Instruction Fuzzy Hash: 6661D07250020ABAEB14EF64CC85BFE7BA8FF48711F504609FD15E61D1DB74A984DBA0

Function 004F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 004F785F, 004F78B1
#pragma compile, xrefs: 004F77D3
Bad directive syntax error, xrefs: 0053519A
#comments-end, xrefs: 004F78D9
#cs, xrefs: 004F7873, 004F78C5
#ce, xrefs: 004F78ED
#OnAutoItStartRegister, xrefs: 004F7817
Cannot parse #include, xrefs: 00535279
#include, xrefs: 004F7847
#notrayicon, xrefs: 004F77E7
#requireadmin, xrefs: 004F77FF
", xrefs: 00535153
', xrefs: 00535169
#include-once, xrefs: 004F782F
Unterminated group of comments, xrefs: 0053528C

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: ae7a21565c1a9ec49c081392fd3164e55f09300b013e1389f42f513cd8077e24
Instruction ID: 5fb17b156f1ea2fbf15d62a2342c937f9929ea4cacd7625c59cd08175db9a0e1
Opcode Fuzzy Hash: ae7a21565c1a9ec49c081392fd3164e55f09300b013e1389f42f513cd8077e24
Instruction Fuzzy Hash: D681DB7160460ABBEB21BF60CC46FBF3FA8BF55340F044025FA05AA196EB78D951C7A5

Function 00555A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00555A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00555A40
SetWindowTextW.USER32(?,?), ref: 00555A57
GetDlgItem.USER32(?,000003EA), ref: 00555A6C
SetWindowTextW.USER32(00000000,?), ref: 00555A72
GetDlgItem.USER32(?,000003E9), ref: 00555A82
SetWindowTextW.USER32(00000000,?), ref: 00555A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00555AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00555AC3
GetWindowRect.USER32(?,?), ref: 00555ACC
_wcslen.LIBCMT ref: 00555B33
SetWindowTextW.USER32(?,?), ref: 00555B6F
GetDesktopWindow.USER32 ref: 00555B75
GetWindowRect.USER32(00000000), ref: 00555B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00555BD3
GetClientRect.USER32(?,?), ref: 00555BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00555C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00555C2F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: eda6efc24bcae25fd7c42fb223a14bb174c1dfb3f8882587fb523fd6634b1587
Instruction ID: 7e63453b39afe99209650ed586d64b244511bbe35e1216d81141d27ac7483ece
Opcode Fuzzy Hash: eda6efc24bcae25fd7c42fb223a14bb174c1dfb3f8882587fb523fd6634b1587
Instruction Fuzzy Hash: 6E718031900B059FDB20DFA9CD69A6EBFF5FF48715F100919E942A25A0E774E948CB50

Function 005530F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0055318D
_wcslen.LIBCMT ref: 005531F8

Strings

NAME, xrefs: 00553335, 00553346
REGEXPCLASS, xrefs: 00553255, 00553266
[[, xrefs: 0055339A
INSTANCE, xrefs: 00553453
CLASS, xrefs: 00553188, 005531A5
CLASSNN, xrefs: 005531F3, 00553204
TEXT, xrefs: 0055347C

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[[
API String ID: 176396367-478666498
Opcode ID: 01efc1ed3869a616485bb058cee99f8f66592596084f38c49efa2cd03c4ccbe1
Instruction ID: 47fb182f5804c4f7322fa9917e222d69e47cc30f01803daef69936ed5406e1d8
Opcode Fuzzy Hash: 01efc1ed3869a616485bb058cee99f8f66592596084f38c49efa2cd03c4ccbe1
Instruction Fuzzy Hash: 83E1D732A00516ABCF189F74C4657EDBFB0BF54791F54852BE85AA7240EB30AE8DC790

Function 005100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005100C6

Part of subcall function 005100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(005C070C,00000FA0,889C4B06,?,?,?,?,005323B3,000000FF), ref: 0051011C
Part of subcall function 005100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005323B3,000000FF), ref: 00510127
Part of subcall function 005100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005323B3,000000FF), ref: 00510138
Part of subcall function 005100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0051014E
Part of subcall function 005100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0051015C
Part of subcall function 005100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0051016A
Part of subcall function 005100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00510195
Part of subcall function 005100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005101A0

___scrt_fastfail.LIBCMT ref: 005100E7

Part of subcall function 005100A3: __onexit.LIBCMT ref: 005100A9

Strings

kernel32.dll, xrefs: 00510133
SleepConditionVariableCS, xrefs: 00510154
InitializeConditionVariable, xrefs: 00510148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00510122
WakeAllConditionVariable, xrefs: 00510162

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 414aedcce3681d2d055f38eab5075882a27be3b44decb7248ca2617e2a0b0965
Instruction ID: 7214b2f3ff1f4fab3dcfe755b73f254b80200af5b45fa4a09f9cb7c16ef04e9a
Opcode Fuzzy Hash: 414aedcce3681d2d055f38eab5075882a27be3b44decb7248ca2617e2a0b0965
Instruction Fuzzy Hash: 1B212532681711ABF7106BA4AC4DBAA3FD4FB58B50F002129FD01F62D1DAB49884CBA0

Function 005644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0058CC08), ref: 00564527
_wcslen.LIBCMT ref: 0056453B
_wcslen.LIBCMT ref: 00564599
_wcslen.LIBCMT ref: 005645F4
_wcslen.LIBCMT ref: 0056463F
_wcslen.LIBCMT ref: 005646A7

Part of subcall function 0050F9F2: _wcslen.LIBCMT ref: 0050F9FD

GetDriveTypeW.KERNEL32(?,005B6BF0,00000061), ref: 00564743

Strings

unknown, xrefs: 00564708
fixed, xrefs: 00564635, 0056463A
network, xrefs: 0056469D, 005646A2
cdrom, xrefs: 0056458F, 00564594
removable, xrefs: 005645EA, 005645EF
ramdisk, xrefs: 005646F1
all, xrefs: 00564531, 00564536

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: fe70a1633b8c7db97171df456dd8b3dcb21e4dd300a78d276d3f6e29a195d249
Instruction ID: c09853269059c1aab425d6054fcba6ec776bec035d12781b7ff83991ee1e53ed
Opcode Fuzzy Hash: fe70a1633b8c7db97171df456dd8b3dcb21e4dd300a78d276d3f6e29a195d249
Instruction Fuzzy Hash: 31B1CC716083029FC720EF28C890A7ABBE5BFA5764F504A1DF596C7291E734D845CFA2

Function 0058911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

DragQueryPoint.SHELL32(?,?), ref: 00589147

Part of subcall function 00587674: ClientToScreen.USER32(?,?), ref: 0058769A
Part of subcall function 00587674: GetWindowRect.USER32(?,?), ref: 00587710
Part of subcall function 00587674: PtInRect.USER32(?,?,00588B89), ref: 00587720

SendMessageW.USER32(?,000000B0,?,?), ref: 005891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00589225
SendMessageW.USER32(?,000000B0,?,?), ref: 0058923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00589255
SendMessageW.USER32(?,000000B1,?,?), ref: 00589277
DragFinish.SHELL32(?), ref: 0058927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00589371

Strings

@GUI_DRAGFILE, xrefs: 00589320
@GUI_DRAGID, xrefs: 005892E9
@GUI_DROPID, xrefs: 0058929E
p#\, xrefs: 005892BB

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#\
API String ID: 221274066-311701890
Opcode ID: 67aff9702af1ad1add705aa1022a91859c759b39a323f62877ec1f93cd9eadd1
Instruction ID: 297453613279c14f9231f8ff90aaf2085a0e764671f7e19a8d7098adc6e80274
Opcode Fuzzy Hash: 67aff9702af1ad1add705aa1022a91859c759b39a323f62877ec1f93cd9eadd1
Instruction Fuzzy Hash: D0617A71108305AFC701EF55DC85DABBFE8FF99350F00092EF996A61A1DB309A49CB66

Function 004F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(005C1990), ref: 00532F8D
GetMenuItemCount.USER32(005C1990), ref: 0053303D
GetCursorPos.USER32(?), ref: 00533081
SetForegroundWindow.USER32(00000000), ref: 0053308A
TrackPopupMenuEx.USER32(005C1990,00000000,?,00000000,00000000,00000000), ref: 0053309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005330A9

Strings

0, xrefs: 004F327D

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 32e67d75580414520226146715748ed1107143794d9f380ebd7f152e2cb393b6
Instruction ID: b12becd10b0b385cb7d5e09a723501daac3185b65fe4ee1a10376ad2bba81fd7
Opcode Fuzzy Hash: 32e67d75580414520226146715748ed1107143794d9f380ebd7f152e2cb393b6
Instruction Fuzzy Hash: 8A714A3064060ABEFB259F64CC4EFAABF64FF01764F204216FA246A1E1C7B1AD14DB55

Function 00586CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00586DEB

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00586E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00586E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00586E94
DestroyWindow.USER32(?), ref: 00586EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004F0000,00000000), ref: 00586EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00586EFD
GetDesktopWindow.USER32 ref: 00586F16
GetWindowRect.USER32(00000000), ref: 00586F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00586F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00586F4D

Part of subcall function 00509944: GetWindowLongW.USER32(?,000000EB), ref: 00509952

Strings

tooltips_class32, xrefs: 00586E58, 00586EDD
0, xrefs: 00586D98

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 119b6afcc6228670b333aaa1f23fc6b7b9e93060f678e4bd8ae864c1e130f508
Instruction ID: 7236fe08f8c3aadb0d14d2ead1541dbf4381203ef2b27af449fac9b832141a5f
Opcode Fuzzy Hash: 119b6afcc6228670b333aaa1f23fc6b7b9e93060f678e4bd8ae864c1e130f508
Instruction Fuzzy Hash: AE715974104244AFDB21DF28D888EAABFE9FB99304F04041DFA99A7261D770E909DB25

Function 0056C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0056C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0056C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0056C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0056C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0056C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0056C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0056C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0056C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0056C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0056C5F0
InternetCloseHandle.WININET(00000000), ref: 0056C5FB

Strings

, xrefs: 0056C575

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 02c76b4243156f32f76f20962d24ed12fd52bb2350450b23a0fe2889b91a0a6c
Instruction ID: 06760862d64b5be3f34b452edf4b5075c09744051fbd157966bebb87d6ca59ab
Opcode Fuzzy Hash: 02c76b4243156f32f76f20962d24ed12fd52bb2350450b23a0fe2889b91a0a6c
Instruction Fuzzy Hash: 2B513CB1600209BFDB219F64CD48ABB7FBCFB28755F00441AF986D7650DB34E948AB60

Function 0058856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00588592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885BA
GlobalLock.KERNEL32(00000000), ref: 005885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885D7
GlobalUnlock.KERNEL32(00000000), ref: 005885E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0058FC38,?), ref: 00588611
GlobalFree.KERNEL32(00000000), ref: 00588621
GetObjectW.GDI32(?,00000018,?), ref: 00588641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00588671
DeleteObject.GDI32(?), ref: 00588699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005886AF

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 9fd8ff8c7bf44ed0a538fe9366ad1a7498e477fa2d3aa7fbbe252deda6b96001
Instruction ID: 68adf4142fe9f92b6e1e9d87d4f5323a21c1f3068f0e669af7142356b47ae068
Opcode Fuzzy Hash: 9fd8ff8c7bf44ed0a538fe9366ad1a7498e477fa2d3aa7fbbe252deda6b96001
Instruction Fuzzy Hash: 4E41E875600204AFDB119FA5DC88EAA7FB9FF99B11F144058FD46E72A0DB309905DB60

Function 005614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00561502
VariantCopy.OLEAUT32(?,?), ref: 0056150B
VariantClear.OLEAUT32(?), ref: 00561517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00561657
VariantInit.OLEAUT32(?), ref: 00561708
SysFreeString.OLEAUT32(?), ref: 0056178C
VariantClear.OLEAUT32(?), ref: 005617D8
VariantClear.OLEAUT32(?), ref: 005617E7
VariantInit.OLEAUT32(00000000), ref: 00561823

Strings

Default, xrefs: 005616AF
%4d%02d%02d%02d%02d%02d, xrefs: 00561625

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 88d199b1c016a7ba9e4f378cf31c571018b7e0c3bbd47185b1926951a874695d
Instruction ID: 44db7ebd282156a283b273b47bdaac8ad1d32900e8adbb28b6783b801ca88e25
Opcode Fuzzy Hash: 88d199b1c016a7ba9e4f378cf31c571018b7e0c3bbd47185b1926951a874695d
Instruction Fuzzy Hash: FED1FE72A00A05DBDB109F65E888B7DFFB5BF84700F18845AE807AB590EB34EC44DB65

Function 0057B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 0057C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057C9F1
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA68
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0057B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0057B80A
RegCloseKey.ADVAPI32(?), ref: 0057B87E
RegCloseKey.ADVAPI32(?), ref: 0057B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0057B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0057B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0057B922
FreeLibrary.KERNEL32(00000000), ref: 0057B983
RegCloseKey.ADVAPI32(00000000), ref: 0057B994

Strings

RegDeleteKeyExW, xrefs: 0057B8FE
advapi32.dll, xrefs: 0057B8ED

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: f8513d29577f487cb5164138ea08320c0f09bfacbe72dd9ab3e88e8162698d98
Instruction ID: 9030c368a54c1078397885558127f1706d480ca8cf502026b100f8d20d3cc0ea
Opcode Fuzzy Hash: f8513d29577f487cb5164138ea08320c0f09bfacbe72dd9ab3e88e8162698d98
Instruction Fuzzy Hash: F8C17B30204201AFE714DF15D494F2ABBE5FF84308F14C55DE5AA8B2A2CB75ED45DB92

Function 0057255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005725E8
CreateCompatibleDC.GDI32(?), ref: 005725F4
SelectObject.GDI32(00000000,?), ref: 00572601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0057266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005726D0
SelectObject.GDI32(?,?), ref: 005726D8
DeleteObject.GDI32(?), ref: 005726E1
DeleteDC.GDI32(?), ref: 005726E8
ReleaseDC.USER32(00000000,?), ref: 005726F3

Strings

(, xrefs: 0057268D

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f7c09a3cae3600cd2f0d28ff1d19aba27a6a65279f8598e49eade171aefe2a04
Instruction ID: d364579aef1b5c130a4d34de4023364ab397ff41a5710573fea2c5fc1839e8ff
Opcode Fuzzy Hash: f7c09a3cae3600cd2f0d28ff1d19aba27a6a65279f8598e49eade171aefe2a04
Instruction Fuzzy Hash: E061D475D00219EFCF14CFA4D888AAEBFB5FF58310F20852AE95AA7250D770A951DF60

Function 0052DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0052DAA1

Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D659
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D66B
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D67D
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D68F
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6A1
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6B3
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6C5
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6D7
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6E9
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6FB
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D70D
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D71F
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D731

_free.LIBCMT ref: 0052DA96

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 0052DAB8
_free.LIBCMT ref: 0052DACD
_free.LIBCMT ref: 0052DAD8
_free.LIBCMT ref: 0052DAFA
_free.LIBCMT ref: 0052DB0D
_free.LIBCMT ref: 0052DB1B
_free.LIBCMT ref: 0052DB26
_free.LIBCMT ref: 0052DB5E
_free.LIBCMT ref: 0052DB65
_free.LIBCMT ref: 0052DB82
_free.LIBCMT ref: 0052DB9A

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5d8db694c829cea385bf48e601999551412684d65b4a7c6f82976c184f53439f
Instruction ID: 3132f7810d2adfdbb71ac163df3cf532937ff3990c1d180e35d374a8add94623
Opcode Fuzzy Hash: 5d8db694c829cea385bf48e601999551412684d65b4a7c6f82976c184f53439f
Instruction Fuzzy Hash: B9315736604626AFEB21AB38F849B5ABFF9FF46310F554429E449D71D1DB31AC808B30

Function 0055365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0055369C
_wcslen.LIBCMT ref: 005536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00553797
GetClassNameW.USER32(?,?,00000400), ref: 0055380C
GetDlgCtrlID.USER32(?), ref: 0055385D
GetWindowRect.USER32(?,?), ref: 00553882
GetParent.USER32(?), ref: 005538A0
ScreenToClient.USER32(00000000), ref: 005538A7
GetClassNameW.USER32(?,?,00000100), ref: 00553921
GetWindowTextW.USER32(?,?,00000400), ref: 0055395D

Strings

%s%u, xrefs: 00553734

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 5feee900ed68f14ecf8340d6c2c635ada3bffb0ccf97a7881a62f50f99e440e5
Instruction ID: 6ff3d5cd118a260b5ee239ab7c689a11c2ca745aaf26a73489b1ec68766293ea
Opcode Fuzzy Hash: 5feee900ed68f14ecf8340d6c2c635ada3bffb0ccf97a7881a62f50f99e440e5
Instruction Fuzzy Hash: 0791B4B1204606AFD719DF24C8A5BAAFBA8FF44391F00452AFD99D2150DB30EA5DCB91

Function 00554954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00554994
GetWindowTextW.USER32(?,?,00000400), ref: 005549DA
_wcslen.LIBCMT ref: 005549EB
CharUpperBuffW.USER32(?,00000000), ref: 005549F7
_wcsstr.LIBVCRUNTIME ref: 00554A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00554A64
GetWindowTextW.USER32(?,?,00000400), ref: 00554A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00554AE6
GetClassNameW.USER32(?,?,00000400), ref: 00554B20
GetWindowRect.USER32(?,?), ref: 00554B8B

Strings

ThumbnailClass, xrefs: 00554A6F, 00554AF1

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 2b30ccccb5fa9f6521a7e6e55842497b84d5ceecd4a35440083bf3813baa656f
Instruction ID: b97bca61f882e052335a64c02c4cc0eeff8719c9b146d59b81370af5b7d5bdeb
Opcode Fuzzy Hash: 2b30ccccb5fa9f6521a7e6e55842497b84d5ceecd4a35440083bf3813baa656f
Instruction Fuzzy Hash: 9F91AD310042069FDF04DF14C995BAA7BE9FF84359F04846AFD859A096EB34ED89CFA1

Function 00588D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00588D5A
GetFocus.USER32 ref: 00588D6A
GetDlgCtrlID.USER32(00000000), ref: 00588D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00588E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00588ECF
GetMenuItemCount.USER32(?), ref: 00588EEC
GetMenuItemID.USER32(?,00000000), ref: 00588EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00588F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00588F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00588FA1

Strings

0, xrefs: 00588E9F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 34aee703f14146a99dcc46263906280df1c2028b37f59dbe4bba62649ca5c64e
Instruction ID: 158a9e8ad7234043043faf66f900405ee645ea896051b8eed848a4868b4c723f
Opcode Fuzzy Hash: 34aee703f14146a99dcc46263906280df1c2028b37f59dbe4bba62649ca5c64e
Instruction Fuzzy Hash: 5F81AD715083029FDB20EF24D884ABB7FE9FB98314F540929FE84A7291DB70D905DBA1

Function 0055DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0055DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0055DC46
_wcslen.LIBCMT ref: 0055DC50
_wcsstr.LIBVCRUNTIME ref: 0055DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0055DCBC

Strings

\VarFileInfo\Translation, xrefs: 0055DCB4
%u.%u.%u.%u, xrefs: 0055DD9A
StringFileInfo\, xrefs: 0055DC8F
DefaultLangCodepage, xrefs: 0055DD1F
04090000, xrefs: 0055DCF2

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 96f0a6397945512c56e16e6d3e5e858e9826f44ed912ab76707e8b64c10959b9
Instruction ID: d0e0da0ce07a7831de485e213de961f5b41fd0701b00ddf217ae956c7a362739
Opcode Fuzzy Hash: 96f0a6397945512c56e16e6d3e5e858e9826f44ed912ab76707e8b64c10959b9
Instruction Fuzzy Hash: 084106329402067AEB20A764DC0BEFF7FBCFF95711F14006AFD00A6182EA749A4497B5

Function 0057CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0057CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0057CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0057CD48

Part of subcall function 0057CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0057CCAA
Part of subcall function 0057CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0057CCBD
Part of subcall function 0057CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0057CCCF
Part of subcall function 0057CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0057CD05
Part of subcall function 0057CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0057CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0057CCF3

Strings

RegDeleteKeyExW, xrefs: 0057CCC9
advapi32.dll, xrefs: 0057CCB8

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: c75d231ecef21b275fb3c4d87f07f7c871bad016307008fca59c819b0a7faf76
Instruction ID: 507885beb4fe42b34e85c5d699a78db9ef6602e662d8099f944d5f4acbd9e3d4
Opcode Fuzzy Hash: c75d231ecef21b275fb3c4d87f07f7c871bad016307008fca59c819b0a7faf76
Instruction Fuzzy Hash: A9316971901129BBDB219B50EC88EEFBF7CFF55740F004169A90AE6240DA309E49EBB0

Function 0055E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0055E6B4

Part of subcall function 0050E551: timeGetTime.WINMM(?,?,0055E6D4), ref: 0050E555

Sleep.KERNEL32(0000000A), ref: 0055E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0055E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0055E727
SetActiveWindow.USER32 ref: 0055E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0055E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0055E773
Sleep.KERNEL32(000000FA), ref: 0055E77E
IsWindow.USER32 ref: 0055E78A
EndDialog.USER32(00000000), ref: 0055E79B

Strings

BUTTON, xrefs: 0055E719

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 75b5fe7c5683050fcb8c64ccc3d0aaa761cd527a575d0f7ae8713213ae9e7d41
Instruction ID: 07f21285ec178ea6456d70ebf8ce4f11ced276430ec699f4afe879cf49f6ea3e
Opcode Fuzzy Hash: 75b5fe7c5683050fcb8c64ccc3d0aaa761cd527a575d0f7ae8713213ae9e7d41
Instruction Fuzzy Hash: 97217F70200641AFEB045B21EC9AE253E69FB6578AF101426FC55915A1DF71AD4CBB34

Function 0055E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0055EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0055EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0055EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0055EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0055EAA7

Strings

alias PlayMe, xrefs: 0055EA36
play PlayMe wait, xrefs: 0055EA91
play PlayMe, xrefs: 0055EAA2
status PlayMe mode, xrefs: 0055EA58
open , xrefs: 0055EA0C
close PlayMe, xrefs: 0055EA6E, 0055EA9B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: dcdc5b38fcf7ad5baa30f0ea0fc6b62914a5779f900b4b513db10bae05b08cd4
Instruction ID: a37e4975e6df8b2a116412817c23db11f883e0a14b1e40779f0a605f60434cdf
Opcode Fuzzy Hash: dcdc5b38fcf7ad5baa30f0ea0fc6b62914a5779f900b4b513db10bae05b08cd4
Instruction Fuzzy Hash: 68114F31A5026979D724A7B2DC5AEFF6EBCFBD1B44F00042AB911A20D1EEB41A49C5B0

Function 00508BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00508F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00508BE8,?,00000000,?,?,?,?,00508BBA,00000000,?), ref: 00508FC5

DestroyWindow.USER32(?), ref: 00508C81
KillTimer.USER32(00000000,?,?,?,?,00508BBA,00000000,?), ref: 00508D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00546973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00508BBA,00000000,?), ref: 005469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00508BBA,00000000,?), ref: 005469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00508BBA,00000000), ref: 005469D4
DeleteObject.GDI32(00000000), ref: 005469E6

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 453147b05fac14e63d8956c58a96670cb693f4ca90f6932aa3e1438e1cba04af
Instruction ID: f1a137b2361a3f8634e2fcbc48d2e27fec38b5b7bc0e2b59394d601ae193091c
Opcode Fuzzy Hash: 453147b05fac14e63d8956c58a96670cb693f4ca90f6932aa3e1438e1cba04af
Instruction Fuzzy Hash: B961CD31002A01DFDB259F14D948F797FF1FB62316F14591CE082AA9A0CB71AC88EF65

Function 00509838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00509944: GetWindowLongW.USER32(?,000000EB), ref: 00509952

GetSysColor.USER32(0000000F), ref: 00509862

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c52b2e7df1fea76b5835c81157511b75689bcd9ac9b05b8699f207ee3cd1e19a
Instruction ID: 849e5d1319a728aebdd5be3e7a7ac250adb55554f0fa0c0972ad1b6476960267
Opcode Fuzzy Hash: c52b2e7df1fea76b5835c81157511b75689bcd9ac9b05b8699f207ee3cd1e19a
Instruction Fuzzy Hash: 5F41BF71104644AFDB205F389C88BBD3FA5BB56330F148655F9A29B2E7D7309C42EB60

Function 00528D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.Q, xrefs: 0052903A, 00528FD0, 00528FF2

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: .Q
API String ID: 0-3049930668
Opcode ID: 96dc7c2d1db751bda353c358a901cd92db1beba800c1833f992888c55c988da1
Instruction ID: 6da3e753f1948f8d6232ba48cb20cf4995b2038a1201c7fded3c6a915562d8dc
Opcode Fuzzy Hash: 96dc7c2d1db751bda353c358a901cd92db1beba800c1833f992888c55c988da1
Instruction Fuzzy Hash: B4C1F479E04269AFDB11DFE8E849BADBFB4BF5A310F044099E415A73D2CB309941CB61

Function 005596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0053F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00559717
LoadStringW.USER32(00000000,?,0053F7F8,00000001), ref: 00559720

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0053F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00559742
LoadStringW.USER32(00000000,?,0053F7F8,00000001), ref: 00559745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00559866

Strings

^ ERROR, xrefs: 005597FB
Error: , xrefs: 0055981D
%s (%d) : ==> %s: %s %s, xrefs: 0055984A
Line %d (File "%s"):, xrefs: 0055978F
Line %d:, xrefs: 005597A0

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 73c707ab84328ed91c3d098378eee831869419266c7dae320e1a35811595b8ec
Instruction ID: f03f92ffad9a2d6f2f674b398bd63f560f224ca3f423971fb2183cf3ea3d9f5b
Opcode Fuzzy Hash: 73c707ab84328ed91c3d098378eee831869419266c7dae320e1a35811595b8ec
Instruction Fuzzy Hash: 7F414E7280021DAACF04FBA1CD96EFE7B78AF54745F10042AFA0572091EB396F48CB65

Function 005506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00550804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0055082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00550837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0055083C

Strings

SOFTWARE\Classes\, xrefs: 0055070E
\CLSID, xrefs: 00550724
\IPC$, xrefs: 00550784

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4052af2a181ef8203d98faf10f09ea47f43acac36e9ba5a6cbb93b06630fd1c1
Instruction ID: b89f2ded6ca2e09304887ac73aa7bfdb65c8e44e04996d91e9cb79030f7090d3
Opcode Fuzzy Hash: 4052af2a181ef8203d98faf10f09ea47f43acac36e9ba5a6cbb93b06630fd1c1
Instruction Fuzzy Hash: F541197181022DABDF15EF95DC95DFDBB78BF04384F04412AE901A31A0EB34AD18CBA0

Function 00567A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00567AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00567B8F
SHGetDesktopFolder.SHELL32(?), ref: 00567BA3
CoCreateInstance.OLE32(0058FD08,00000000,00000001,005B6E6C,?), ref: 00567BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00567C74
CoTaskMemFree.OLE32(?,?), ref: 00567CCC
SHBrowseForFolderW.SHELL32(?), ref: 00567D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00567D7A
CoTaskMemFree.OLE32(00000000), ref: 00567D81
CoTaskMemFree.OLE32(00000000), ref: 00567DD6
CoUninitialize.OLE32 ref: 00567DDC

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 654ab372d1bfee4b2b2983d3c99167769f971d35aaea338ecd80e801a8a00390
Instruction ID: 5580905e1ad418c0731f0704c5639c55bad287c87dcd94b641da7d33f3dc1623
Opcode Fuzzy Hash: 654ab372d1bfee4b2b2983d3c99167769f971d35aaea338ecd80e801a8a00390
Instruction Fuzzy Hash: 69C12C75A04109AFDB14DFA4C884DAEBBF9FF48308B148499E919EB361D734EE45CB90

Function 0058541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00585504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00585515
CharNextW.USER32(00000158), ref: 00585544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00585585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0058559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005855AC

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: e41c9a12a0f2df1c1f84553764bc2c996838cb50e0c9db0274193560bc1afdbe
Instruction ID: 42745b04112eaceb1a2295a11612348d0051d403b9466b2bbae39519b7a54e72
Opcode Fuzzy Hash: e41c9a12a0f2df1c1f84553764bc2c996838cb50e0c9db0274193560bc1afdbe
Instruction Fuzzy Hash: EF618A30900609ABDF11AFA5CC85AFE7FB9FF09321F104555FD25BA2A0E7748A84DB60

Function 0054FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0054FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0054FB08
VariantInit.OLEAUT32(?), ref: 0054FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0054FB3A
VariantCopy.OLEAUT32(?,?), ref: 0054FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0054FBA1
VariantClear.OLEAUT32(?), ref: 0054FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0054FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0054FBCC
VariantClear.OLEAUT32(?), ref: 0054FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0054FBE9

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d30bfae2090720c6d33ed5f6364942a74664e344f5da4152ac1834491f151cf6
Instruction ID: 14ef363ed0d7c7d8392ce246e92bd0a1c8cb8720e3406a8e5070852733e0b5c8
Opcode Fuzzy Hash: d30bfae2090720c6d33ed5f6364942a74664e344f5da4152ac1834491f151cf6
Instruction Fuzzy Hash: 17415F35A002199FCF00DF68D858DEEBFB9FF58349F008069E905A7261DB30A945DBA0

Function 00559C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00559CA1
GetAsyncKeyState.USER32(000000A0), ref: 00559D22
GetKeyState.USER32(000000A0), ref: 00559D3D
GetAsyncKeyState.USER32(000000A1), ref: 00559D57
GetKeyState.USER32(000000A1), ref: 00559D6C
GetAsyncKeyState.USER32(00000011), ref: 00559D84
GetKeyState.USER32(00000011), ref: 00559D96
GetAsyncKeyState.USER32(00000012), ref: 00559DAE
GetKeyState.USER32(00000012), ref: 00559DC0
GetAsyncKeyState.USER32(0000005B), ref: 00559DD8
GetKeyState.USER32(0000005B), ref: 00559DEA

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cc5bac603b5b1c48ed66c741de47e60e680be53e9a7d56faba04111d2c374b8f
Instruction ID: b131d0a18d2adf2eee566e6cfffe4f82201d46d02aa55d3ea4681ca127e4720a
Opcode Fuzzy Hash: cc5bac603b5b1c48ed66c741de47e60e680be53e9a7d56faba04111d2c374b8f
Instruction Fuzzy Hash: 0B4196345047C9A9FF31966488253B5BEB07F21345F08805BDEC65A5C2EBADADCCC7A2

Function 0057055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005705BC
inet_addr.WSOCK32(?), ref: 0057061C
gethostbyname.WSOCK32(?), ref: 00570628
IcmpCreateFile.IPHLPAPI ref: 00570636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005707B9
WSACleanup.WSOCK32 ref: 005707BF

Strings

Ping, xrefs: 00570676

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 69ae0193bfc7de69c1329b08020e1115bc9ded1878c648de3317cdeeb30a2456
Instruction ID: c6abc6d48119ac8fcd75b7c1705ba48c759875c691844fefb77987c6fcb9ef0a
Opcode Fuzzy Hash: 69ae0193bfc7de69c1329b08020e1115bc9ded1878c648de3317cdeeb30a2456
Instruction Fuzzy Hash: C1917835604201EFD324DF15E888B2ABFE0FB84318F14D9A9E4699B6A2C734EC45DF91

Function 00578CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00578CF3

Part of subcall function 00558E54: _wcslen.LIBCMT ref: 00558E77

_wcslen.LIBCMT ref: 00578D4E
_wcslen.LIBCMT ref: 00578D9C
_wcslen.LIBCMT ref: 00578DDC
_wcslen.LIBCMT ref: 00578E6E

Strings

cdecl, xrefs: 00578D48, 00578D4D
winapi, xrefs: 00578D96, 00578D9B
none, xrefs: 00578E65, 00578E6A
stdcall, xrefs: 00578DD6, 00578DDB

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a9429416473a91c52f00b81e539bf3149808cba801a1a074082f90ebf3bfca30
Instruction ID: ed6bd85abf77e9c0e31a6fdc358977a95cfa3f2dbe234a835ca559eeeabe48a2
Opcode Fuzzy Hash: a9429416473a91c52f00b81e539bf3149808cba801a1a074082f90ebf3bfca30
Instruction Fuzzy Hash: A851D731A405169BCF24DF6CD8449BEBBA5BF64324B20822AE92AE73C4DF34DD40D790

Function 0057372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00573774
CoUninitialize.OLE32 ref: 0057377F
CoCreateInstance.OLE32(?,00000000,00000017,0058FB78,?), ref: 005737D9
IIDFromString.OLE32(?,?), ref: 0057384C
VariantInit.OLEAUT32(?), ref: 005738E4
VariantClear.OLEAUT32(?), ref: 00573936

Strings

Failed to create object, xrefs: 005737E4, 0057389A
NULL Pointer assignment, xrefs: 0057381E
Invalid parameter, xrefs: 00573865

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 59f4e1019291eae4d6ecaa4e06380659b03697400560f20206a787e40ece4083
Instruction ID: 34559812fad19817e97ccffae11e22d64f890a17626576f4ff593f42f6d5c86c
Opcode Fuzzy Hash: 59f4e1019291eae4d6ecaa4e06380659b03697400560f20206a787e40ece4083
Instruction Fuzzy Hash: 97618F71608301AFD310DF54D849B6ABFE4FF88725F108809F98997291D770EE48EB92

Function 00568195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00568257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00568267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00568273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00568310
SetCurrentDirectoryW.KERNEL32(?), ref: 00568324
SetCurrentDirectoryW.KERNEL32(?), ref: 00568356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0056838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00568395

Strings

*.*, xrefs: 0056839B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6f5aee77c3f8542bb3ceb5934a6fd9030165e7a2abd808d92e02e6e3bb2f2113
Instruction ID: 189874d7f63183032d5eea7b7837cf07e754c93e79a8c5c9656aaf366a0bf6ab
Opcode Fuzzy Hash: 6f5aee77c3f8542bb3ceb5934a6fd9030165e7a2abd808d92e02e6e3bb2f2113
Instruction Fuzzy Hash: D9617BB25043059FCB10EF60C8549AEBBE9FF89314F044D1EF98997251DB35E949CBA2

Function 00588B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

Part of subcall function 0050912D: GetCursorPos.USER32(?), ref: 00509141
Part of subcall function 0050912D: ScreenToClient.USER32(00000000,?), ref: 0050915E
Part of subcall function 0050912D: GetAsyncKeyState.USER32(00000001), ref: 00509183
Part of subcall function 0050912D: GetAsyncKeyState.USER32(00000002), ref: 0050919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00588B6B
ImageList_EndDrag.COMCTL32 ref: 00588B71
ReleaseCapture.USER32 ref: 00588B77
SetWindowTextW.USER32(?,00000000), ref: 00588C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00588C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00588CFF

Strings

@GUI_DRAGFILE, xrefs: 00588C9A
@GUI_DROPID, xrefs: 00588C51
p#\, xrefs: 00588C71

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#\
API String ID: 1924731296-509227506
Opcode ID: 5bc7c3223d10ac42d6344835ff6185fcdd48a844540df16a98f8a9d24b206463
Instruction ID: 099e4ddbd3ac63e6fe2c8d05728404717f99073b2f5f175e39f25c9660c825f5
Opcode Fuzzy Hash: 5bc7c3223d10ac42d6344835ff6185fcdd48a844540df16a98f8a9d24b206463
Instruction Fuzzy Hash: BB517A70104204AFD700EF15D85AFBA7BE4FB88754F40062DF9966B2E2DB709D08CB66

Function 00563388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005633CF

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005633F0

Strings

Error: , xrefs: 005634D1
"%s" (%d) : ==> %s:, xrefs: 00563522
^ ERROR , xrefs: 0056349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00563504
Incorrect parameters to object property !, xrefs: 005634AB
Line %d (File "%s"):, xrefs: 00563443, 0056345C

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 42263a7b9f9dc398dd31f2cfd6494e10d01a9a26d9c45459393637eb1f59da85
Instruction ID: 9fb4c37eed298fa812c72c154c02b8a8053efeb5dfe0319716366f020cd6d588
Opcode Fuzzy Hash: 42263a7b9f9dc398dd31f2cfd6494e10d01a9a26d9c45459393637eb1f59da85
Instruction Fuzzy Hash: EC51DD7180060AAADF15EBA1CD46EFEBB78BF14745F10406AF90573092EB392F58DB64

Function 0055B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0055B5FC
_wcslen.LIBCMT ref: 0055B608
_wcslen.LIBCMT ref: 0055B64D
_wcslen.LIBCMT ref: 0055B68C
_wcslen.LIBCMT ref: 0055B6C7

Strings

EXISTS, xrefs: 0055B686, 0055B68B
REMOVE, xrefs: 0055B602, 0055B607
APPEND, xrefs: 0055B6C1, 0055B6C6
KEYS, xrefs: 0055B647, 0055B64C

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: e84d0ea8d70d819371183352bea71dc0c736316cab8177877a0324ec9e01ee84
Instruction ID: ba937458e2c5cfbbc91b41b8ea8d08b40aafd3703e48544d7ae9f199bc812bea
Opcode Fuzzy Hash: e84d0ea8d70d819371183352bea71dc0c736316cab8177877a0324ec9e01ee84
Instruction Fuzzy Hash: 5A41D632A000279ADB105F7DC8A45BE7FA5FFA0795B24422BEC21D7284E735CD85C790

Function 00565393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00565416
GetLastError.KERNEL32 ref: 00565420
SetErrorMode.KERNEL32(00000000,READY), ref: 005654A7

Strings

NOTREADY, xrefs: 0056544B
READY, xrefs: 00565460, 00565468
INVALID, xrefs: 00565459
UNKNOWN, xrefs: 00565444
READONLY, xrefs: 00565452

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ca8dc4ca98fc7dced15ed36968d219e2a1d224faed69b3194b7caf9febd90ec0
Instruction ID: faf0595bdb58ef6fef62e8f84f5dda677431af649ee32a30c620c53db27b9384
Opcode Fuzzy Hash: ca8dc4ca98fc7dced15ed36968d219e2a1d224faed69b3194b7caf9febd90ec0
Instruction Fuzzy Hash: F731B535A405059FCB10DF68C484BAA7FB4FF44306F1484A9E505DB252EF75DD86CB90

Function 00583C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00583C79
SetMenu.USER32(?,00000000), ref: 00583C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00583D10
IsMenu.USER32(?), ref: 00583D24
CreatePopupMenu.USER32 ref: 00583D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00583D5B
DrawMenuBar.USER32 ref: 00583D63

Strings

0, xrefs: 00583C54
F, xrefs: 00583D4E

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 4bb00fcb1404dd742483245f0b78d0f32b2821df47c6b3da7431d22426489ef9
Instruction ID: 62e4f9aa0be3b3c214dd7ec8a6cdde9788d0bedc0c0db694e4f348a6c7b382a8
Opcode Fuzzy Hash: 4bb00fcb1404dd742483245f0b78d0f32b2821df47c6b3da7431d22426489ef9
Instruction Fuzzy Hash: 7B418875A02209AFDF14DF64E884EAA7FB5FF49340F144029ED46A7360D730AA14DBA4

Function 00583A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00583A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00583AA0
GetWindowLongW.USER32(?,000000F0), ref: 00583AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00583AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00583B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00583BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00583BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00583BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00583BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00583C13

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5bb917554b509d280f9e678af95026b7f13d50b7005db11dc995eb79f892fa4b
Instruction ID: ee436d0433da57165a14457d837fb46dceb41c6f51009a4a6ab4735138f8f821
Opcode Fuzzy Hash: 5bb917554b509d280f9e678af95026b7f13d50b7005db11dc995eb79f892fa4b
Instruction Fuzzy Hash: 76615C75900248AFDB10EFA8CC81EEE7BB8FF49700F104199FA15AB292D774AE45DB54

Function 0055B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0055B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B165
GetWindowThreadProcessId.USER32(00000000), ref: 0055B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0055B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B21D

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 9d44ec63ee9a565eca5262de9d61329fe488dd975158048a67929d665cb057fa
Instruction ID: a5382adca7ba437c52653b1b37c6324fe800e785867d0785d9d509802b7dd2bc
Opcode Fuzzy Hash: 9d44ec63ee9a565eca5262de9d61329fe488dd975158048a67929d665cb057fa
Instruction Fuzzy Hash: EC318C76500A08AFEB109F64EC5CFAD7FA9BB61312F108056FE01E6190E7B49A48DF70

Function 00522C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00522C94

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 00522CA0
_free.LIBCMT ref: 00522CAB
_free.LIBCMT ref: 00522CB6
_free.LIBCMT ref: 00522CC1
_free.LIBCMT ref: 00522CCC
_free.LIBCMT ref: 00522CD7
_free.LIBCMT ref: 00522CE2
_free.LIBCMT ref: 00522CED
_free.LIBCMT ref: 00522CFB

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a5d198dcbc767c780b88cc20dc6b389015d93b1cb79568ffbf604fc41185d4c8
Instruction ID: 010a45b88fce28c24a2e6ab07e861a3b683559a0f24b402d7310d0b2b5a2d983
Opcode Fuzzy Hash: a5d198dcbc767c780b88cc20dc6b389015d93b1cb79568ffbf604fc41185d4c8
Instruction Fuzzy Hash: 9D11967A100119BFCB02EF54E986CDD3FA5FF4A350F8144A5F9485B262D631EE909B90

Function 004F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 004F5C7A

Part of subcall function 004F5D0A: GetClientRect.USER32(?,?), ref: 004F5D30
Part of subcall function 004F5D0A: GetWindowRect.USER32(?,?), ref: 004F5D71
Part of subcall function 004F5D0A: ScreenToClient.USER32(?,?), ref: 004F5D99

GetDC.USER32 ref: 005346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00534708
SelectObject.GDI32(00000000,00000000), ref: 00534716
SelectObject.GDI32(00000000,00000000), ref: 0053472B
ReleaseDC.USER32(?,00000000), ref: 00534733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005347C4

Strings

U, xrefs: 00534693

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 794c9b0474d704569bbe7093fa6083cc2830563c807033a9e7730d7c15499925
Instruction ID: 8de1d77d7b733ead68d2e19d6e49ac8bd1d17e334fd63fcdfb760a877a12e25d
Opcode Fuzzy Hash: 794c9b0474d704569bbe7093fa6083cc2830563c807033a9e7730d7c15499925
Instruction Fuzzy Hash: 2671F331400609DFCF218F64CD85ABA7FB5FF4A354F14426AEE566A2A6C334AC42DF60

Function 0056359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005635E4

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

LoadStringW.USER32(005C2390,?,00000FFF,?), ref: 0056360A

Strings

^ ERROR, xrefs: 005636C9
Error: , xrefs: 005636EF
"%s" (%d) : ==> %s:, xrefs: 00563742
"%s" (%d) : ==> %s:%s%s, xrefs: 00563724
Line %d (File "%s"):, xrefs: 0056366B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: df9f2476fadec14c4d91c230739d2a6aa75784a9542896b89c6b0221928b66f0
Instruction ID: f6442a95998ad63d9252d9d26f2fb5afda2e1ff4a076e4e6d5696c26a406a1c5
Opcode Fuzzy Hash: df9f2476fadec14c4d91c230739d2a6aa75784a9542896b89c6b0221928b66f0
Instruction Fuzzy Hash: FB517F7180060AAADF15EBA1CC42EFDBF74FF14745F14412AF60572191DB342B98DB64

Function 0056C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0056C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0056C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0056C2CA
GetLastError.KERNEL32 ref: 0056C322
SetEvent.KERNEL32(?), ref: 0056C336
InternetCloseHandle.WININET(00000000), ref: 0056C341

Strings

, xrefs: 0056C2BB

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: e7cd2fbdec0e8b9d7057c99520b84a60a7e2243a3ac4c91f1ae6e7c3020fc7dc
Instruction ID: bff40205b03fada04bab52b6e7e18ab1b1714d34847ff1b37f3178b2a88d4de8
Opcode Fuzzy Hash: e7cd2fbdec0e8b9d7057c99520b84a60a7e2243a3ac4c91f1ae6e7c3020fc7dc
Instruction Fuzzy Hash: 01315AB1600208AFD7219F649888ABB7FFCFB59744B10891EA886E7200DB34DD089B70

Function 0055989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00533AAF,?,?,Bad directive syntax error,0058CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005598BC
LoadStringW.USER32(00000000,?,00533AAF,?), ref: 005598C3

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00559987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 005598F1
Error: , xrefs: 00559955
., xrefs: 0055996D
Line %d (File "%s"):, xrefs: 0055992D
Line %d:, xrefs: 00559912

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: e7fe830281f896583d26088e6fcc63f2d882fe22318ca3073a4ba108005136e3
Instruction ID: 41bbf9dfed33519cefdcacd38c688dacb20afd2cee4dc08439dd092e1d2677e0
Opcode Fuzzy Hash: e7fe830281f896583d26088e6fcc63f2d882fe22318ca3073a4ba108005136e3
Instruction Fuzzy Hash: AB216F3180021EEBCF11EF90CC5AEED7B75BF14745F04442AFA15620A1EB79AA18DB20

Function 0055209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0055214D

Strings

SHELLDLL_DefView, xrefs: 005520CC
details, xrefs: 005520FB
smallicons, xrefs: 00552115
list, xrefs: 0055212F
largeicons, xrefs: 005520E1

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 268daed558611a6677929222a16830826c4505ecf7c227ca570ed2215b7167d6
Instruction ID: ef5e9e5b67385a3f84463f5c2f63c8c112848645625a3a8a7e13c863cf4651fb
Opcode Fuzzy Hash: 268daed558611a6677929222a16830826c4505ecf7c227ca570ed2215b7167d6
Instruction Fuzzy Hash: 9A112776288B07BAF60562209C1BDE73F9CFF16325F201027FF05A40D1FE6168899B14

Function 0052CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0052CEB7
_free.LIBCMT ref: 0052CF22
_free.LIBCMT ref: 0052CF48
_free.LIBCMT ref: 0052CF71
_free.LIBCMT ref: 0052CFA9
_free.LIBCMT ref: 0052CFDA
_free.LIBCMT ref: 0052D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0052D09C
_free.LIBCMT ref: 0052D0B5

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0c1c93b7a2a73fea16ab29c958af7b897b9849df92c4e31ecb5996f29c403296
Instruction ID: ef2b78d90c108d5a5594bcd345e99851ec0ea1192bd88f5eaabf87ffc3717944
Opcode Fuzzy Hash: 0c1c93b7a2a73fea16ab29c958af7b897b9849df92c4e31ecb5996f29c403296
Instruction Fuzzy Hash: 45614772904721AFDB21AFB4BD89A6E7FA5BF47310F04026DF905A72C2E6319D41D7A0

Function 005850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00585186
ShowWindow.USER32(?,00000000), ref: 005851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 005851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 005851D1

Part of subcall function 00586FBA: DeleteObject.GDI32(00000000), ref: 00586FE6

GetWindowLongW.USER32(?,000000F0), ref: 0058520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0058521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0058524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00585287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00585296

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 809cded524d96f7571e70b2f0fe09d90f4ba29c65eba0127d264ac7dc933cda4
Instruction ID: 7298ee47408b1a327f57c2ecd3d812354bdef7df465ff79c3813233fb1bf281b
Opcode Fuzzy Hash: 809cded524d96f7571e70b2f0fe09d90f4ba29c65eba0127d264ac7dc933cda4
Instruction Fuzzy Hash: A751AF34A50A09BEEF20AF24CC4EBD83F65FB45321F144011FE56BA2E1EB75A994DB50

Function 00508B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00546890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00508874,00000000,00000000,00000000,000000FF,00000000), ref: 00546901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0054691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00508874,00000000,00000000,00000000,000000FF,00000000), ref: 0054692D

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 227066bec85f9e881dd3d2a2d809f1d8e595cc07bce9e0e56caf1c3acc3bce7f
Instruction ID: 0cb28a0220c7d562f6baf7bca491ac6675ad50d3bfaba57b5aeca74f10f1c14a
Opcode Fuzzy Hash: 227066bec85f9e881dd3d2a2d809f1d8e595cc07bce9e0e56caf1c3acc3bce7f
Instruction Fuzzy Hash: 42518770600609EFDB20CF24CC55FAA7FB5FB99764F104528F992A62E0DB70E990EB50

Function 0056C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0056C182
GetLastError.KERNEL32 ref: 0056C195
SetEvent.KERNEL32(?), ref: 0056C1A9

Part of subcall function 0056C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0056C272
Part of subcall function 0056C253: GetLastError.KERNEL32 ref: 0056C322
Part of subcall function 0056C253: SetEvent.KERNEL32(?), ref: 0056C336
Part of subcall function 0056C253: InternetCloseHandle.WININET(00000000), ref: 0056C341

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: bca2bac99e688890a4b46e0a22758e2e8d4f809e4e833b113fe9bed6fe2f82e7
Instruction ID: 6176fecebb203fde120e7bf84beac70b6a582114d844a33746496ab264484260
Opcode Fuzzy Hash: bca2bac99e688890a4b46e0a22758e2e8d4f809e4e833b113fe9bed6fe2f82e7
Instruction Fuzzy Hash: 22316B75200605AFDB219FA5DC58A76BFE9FF68300B00851DFDDA93610DB31E818EBA0

Function 005525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00553A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00553A57
Part of subcall function 00553A3D: GetCurrentThreadId.KERNEL32 ref: 00553A5E
Part of subcall function 00553A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005525B3), ref: 00553A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00552601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00552605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0055260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00552623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00552627

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6fdbe08c0d28201c6de4ae59e9534c6b2662bfb39593baca3e14efc0b1d4b53a
Instruction ID: 538b519c8dc0bd0dc184490f212e1e3e3a7641293b075a0affc53f4ae2981d44
Opcode Fuzzy Hash: 6fdbe08c0d28201c6de4ae59e9534c6b2662bfb39593baca3e14efc0b1d4b53a
Instruction Fuzzy Hash: BA01B131290210BBFB106769DC9EF593F59EB9AB52F101012FB18AE0D5C9F22448DB79

Function 00551803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00551449,?,?,00000000), ref: 0055180C
HeapAlloc.KERNEL32(00000000,?,00551449,?,?,00000000), ref: 00551813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00551449,?,?,00000000), ref: 00551828
GetCurrentProcess.KERNEL32(?,00000000,?,00551449,?,?,00000000), ref: 00551830
DuplicateHandle.KERNEL32(00000000,?,00551449,?,?,00000000), ref: 00551833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00551449,?,?,00000000), ref: 00551843
GetCurrentProcess.KERNEL32(00551449,00000000,?,00551449,?,?,00000000), ref: 0055184B
DuplicateHandle.KERNEL32(00000000,?,00551449,?,?,00000000), ref: 0055184E
CreateThread.KERNEL32(00000000,00000000,00551874,00000000,00000000,00000000), ref: 00551868

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c313e10c575205d6b2a9e9d469979a89eae6b49a0311402c85dce0402b62db20
Instruction ID: 2ab21b36c8093d5196edc55d6b01a72bd1e70fbe59d3a3e51eb644a8a1fc209c
Opcode Fuzzy Hash: c313e10c575205d6b2a9e9d469979a89eae6b49a0311402c85dce0402b62db20
Instruction Fuzzy Hash: F801A8B5240308BFE610ABA5DC8DF6B3FACEB99B11F005411FA05EB2A1DA719804DB30

Function 0057A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0055D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0055D501
Part of subcall function 0055D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0055D50F
Part of subcall function 0055D4DC: CloseHandle.KERNEL32(00000000), ref: 0055D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0057A16D
GetLastError.KERNEL32 ref: 0057A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0057A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0057A268
GetLastError.KERNEL32(00000000), ref: 0057A273
CloseHandle.KERNEL32(00000000), ref: 0057A2C4

Strings

SeDebugPrivilege, xrefs: 0057A18F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d70280232c5ab24bdf01e82608d0567f77c1c4745ff9daa9778c6586b6f0afc2
Instruction ID: e3ac0d7f84090d0f27413adde95e6bc7ece611d955481d386ed379ed528282ca
Opcode Fuzzy Hash: d70280232c5ab24bdf01e82608d0567f77c1c4745ff9daa9778c6586b6f0afc2
Instruction Fuzzy Hash: 34618C35204242AFD710DF19D494F29BFA1BF94318F54C48CE86A8B6A3C776EC49DB92

Function 00583886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00583925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0058393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00583954
_wcslen.LIBCMT ref: 00583999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005839F4

Strings

SysListView32, xrefs: 005838F7

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 72bc5ea1137186df1b9b8de0cbfed1d23afc5f3ee038f49629924016027da893
Instruction ID: df26690ccc0f10287d89e8d374f12374df7a0fba01ee95c3d21a2348ad2253ff
Opcode Fuzzy Hash: 72bc5ea1137186df1b9b8de0cbfed1d23afc5f3ee038f49629924016027da893
Instruction Fuzzy Hash: 6841A171A00219ABEB21AF64CC49FEA7FA9FF48750F100526F958F7281D7719A84CB94

Function 0055BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0055BCFD
IsMenu.USER32(00000000), ref: 0055BD1D
CreatePopupMenu.USER32 ref: 0055BD53
GetMenuItemCount.USER32(01415390), ref: 0055BDA4
InsertMenuItemW.USER32(01415390,?,00000001,00000030), ref: 0055BDCC

Strings

2, xrefs: 0055BD37
0, xrefs: 0055BCA8

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f0cf7964c9b63ca6dc91a24ae8ff81054a04db577de6613c06dfed0ad383b481
Instruction ID: bacd08cd6d5e4f4e4e8a44f4c9f57c471bdb2eeac0aaaf21b9dc8654432a4860
Opcode Fuzzy Hash: f0cf7964c9b63ca6dc91a24ae8ff81054a04db577de6613c06dfed0ad383b481
Instruction Fuzzy Hash: 6451AF70A002099BEF10CFA8D8ACBAEBFF4BF95316F14451AEC51E7290D7719948CB61

Function 00512D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00512D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00512D53
_ValidateLocalCookies.LIBCMT ref: 00512DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00512E0C
_ValidateLocalCookies.LIBCMT ref: 00512E61

Strings

&HQ, xrefs: 00512DFE, 00512E07, 00512E18
csm, xrefs: 00512DF6

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HQ$csm
API String ID: 1170836740-3952113351
Opcode ID: 12679fea1ebb813971813df84cc972156423dac9fa7e9a5a8eaa85fd2b40592c
Instruction ID: 0035aaa44fef48e89856006cc17398d7247a423b762a0035dc16955f89d5b125
Opcode Fuzzy Hash: 12679fea1ebb813971813df84cc972156423dac9fa7e9a5a8eaa85fd2b40592c
Instruction Fuzzy Hash: E841C634A00209AFDF10DF68D859ADEBFB5BF44324F148155E8146B392D731AEA6CBD0

Function 0055C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0055C913

Strings

blank, xrefs: 0055C895
warning, xrefs: 0055C8FC
info, xrefs: 0055C8B4
stop, xrefs: 0055C8E4
question, xrefs: 0055C8CC

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5b0042f266f082b3388b2a862c047e6fd846f25c00bd05947b5bdcc779496583
Instruction ID: d68e84e1c5f0fbf48ed38829401603b9d0d3d6dae01cbd775e7a6264d7806301
Opcode Fuzzy Hash: 5b0042f266f082b3388b2a862c047e6fd846f25c00bd05947b5bdcc779496583
Instruction Fuzzy Hash: 42113D32689307BFE7005B149C93CEA6FACFF15716B20002BFD00A62C2DB747D845664

Function 0055ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0055ED2A
_wcslen.LIBCMT ref: 0055ED3B
_wcslen.LIBCMT ref: 0055ED79
_wcslen.LIBCMT ref: 0055EDAF
_wcslen.LIBCMT ref: 0055EDDF
_wcslen.LIBCMT ref: 0055EDEF
_wcslen.LIBCMT ref: 0055EE2B
_wcslen.LIBCMT ref: 0055EE5A

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 64ebdbda4f15e207ace82a1665ecfdd446f2f7ef6129edb4ddc3bdf4f719ab95
Instruction ID: 2208ee58973c4c6f796c416478514749fbeb27ba00a4d5308826ebc515507af0
Opcode Fuzzy Hash: 64ebdbda4f15e207ace82a1665ecfdd446f2f7ef6129edb4ddc3bdf4f719ab95
Instruction Fuzzy Hash: 35418069C1021965DB11EBB4888F9CFBBBCBF85710F508466E924E3122EB34E395C7A5

Function 0050F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0054682C,00000004,00000000,00000000), ref: 0050F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0054682C,00000004,00000000,00000000), ref: 0054F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0054682C,00000004,00000000,00000000), ref: 0054F454

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7c1877df8d7f36fe7566497a6c2a46137c8028821fcedd535a49f3e9b2268bb1
Instruction ID: b04a459d046cad3db4961ca95c272064ca1c1fb0585987bd5d76ff0d58c2d3b3
Opcode Fuzzy Hash: 7c1877df8d7f36fe7566497a6c2a46137c8028821fcedd535a49f3e9b2268bb1
Instruction Fuzzy Hash: 6D412A31608680BEDB398F2DD88CB6E7F91BB96314F144C3DE48762DE1D631A885DB11

Function 00582D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00582D1B
GetDC.USER32(00000000), ref: 00582D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00582D2E
ReleaseDC.USER32(00000000,00000000), ref: 00582D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00582D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00582D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00585A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00582DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00582DE1

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 21dd32bbd6f195b68a8652706f317063bd93affac5d98cb34cac2684038bbba7
Instruction ID: 3d97e1aced6e0bc754b0bb03aae7b2adc2025ad77fb8aba002ababea8b388dbb
Opcode Fuzzy Hash: 21dd32bbd6f195b68a8652706f317063bd93affac5d98cb34cac2684038bbba7
Instruction Fuzzy Hash: 1B318B76201214BBEB119F548C8AFEB3FA9FF19751F044065FE08AE291D6759C45CBB0

Function 00555622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00555637
_memcmp.LIBVCRUNTIME ref: 00555659
_memcmp.LIBVCRUNTIME ref: 00555671
_memcmp.LIBVCRUNTIME ref: 00555684
_memcmp.LIBVCRUNTIME ref: 0055569E
_memcmp.LIBVCRUNTIME ref: 005556B1
_memcmp.LIBVCRUNTIME ref: 005556C9
_memcmp.LIBVCRUNTIME ref: 005556E4

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9f48df24cea49bc33c6931360d103ff547a2107fcb87fcb5ece7237835458c09
Instruction ID: 7bdde14fac3e6049a9f3f9d31768ef6a5724d478ba11c68d0d5e4286ab1842ba
Opcode Fuzzy Hash: 9f48df24cea49bc33c6931360d103ff547a2107fcb87fcb5ece7237835458c09
Instruction Fuzzy Hash: FF212C61744D0EB7E21465118DB2FFA3F5CBF54386F540422FE066A541F720EE1883A9

Function 00574FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00575007
NULL Pointer assignment, xrefs: 0057502E, 00575383

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 9b5b5a8d604bf01b385d0fb1fa16c5a5a906956b2a408c46f13f6194af06d306
Instruction ID: f6c7f8505cc8f5d4dc8489fb9a07ab750ef98cec77471f24a39c528c912152c8
Opcode Fuzzy Hash: 9b5b5a8d604bf01b385d0fb1fa16c5a5a906956b2a408c46f13f6194af06d306
Instruction Fuzzy Hash: 5AD1E371A0060A9FDF10CFA8D884BAEBBB5FF48304F14C469E919AB291E7B0DD45DB50

Function 00531522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,005317FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 005315CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00531651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,005317FB,?,005317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005316E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005316FB

Part of subcall function 00523820: RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,005317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00531777
__freea.LIBCMT ref: 005317A2
__freea.LIBCMT ref: 005317AE

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 06b79fddda4df28191284e037d1dd75029be1db08b7f53dff9b5e10727643871
Instruction ID: d8996ac19affbdbef217f4a5b1f9c4ebadf0e5c13710174426dd0768a56cf55b
Opcode Fuzzy Hash: 06b79fddda4df28191284e037d1dd75029be1db08b7f53dff9b5e10727643871
Instruction Fuzzy Hash: DC91A271E00A169ADF218FB4C985AEE7FB5FF89310F184659E802E7281DB35DC44CB68

Function 00574523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00574648
VariantInit.OLEAUT32(?), ref: 00574749
VariantClear.OLEAUT32(?), ref: 00574753
VariantClear.OLEAUT32(?), ref: 005747B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0057472C
Null Object assignment in FOR..IN loop, xrefs: 005745D8, 00574706, 005747BE

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 43e5b8e3b85be4fe3ddd0874d77f5bcd8ca5d3dc7a5f49975aebcd7224e80ce9
Instruction ID: 409a887adc2d1eb63a3a8315f633190dd9d072b6dc7136a4da63350d9f4bf8e3
Opcode Fuzzy Hash: 43e5b8e3b85be4fe3ddd0874d77f5bcd8ca5d3dc7a5f49975aebcd7224e80ce9
Instruction Fuzzy Hash: 4A919171A00219ABDF24CFA4D888FAEBFB8FF85710F108559F509AB280D7709941DFA0

Function 00561187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0056125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00561284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0056135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00561430

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 20b6c61e24f47453e81d4167acddd918ec1f60f6974f2a64dc3f4333541e852a
Instruction ID: 16b57d0e7682ba628b1a1ae7d5f2816bfd91d61d37951d0db6d03c9f2144e6c7
Opcode Fuzzy Hash: 20b6c61e24f47453e81d4167acddd918ec1f60f6974f2a64dc3f4333541e852a
Instruction Fuzzy Hash: 54912675A006099FDB00DFA5C885BBEBBB5FF84315F184429E901EB291DB74ED41CB98

Function 0050948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 18c05bb4bc090199f817d065fd96529155fd4184d815e3637037513a7f043667
Instruction ID: 57616fe2505f8aa4fd535fcab68922c3b4ca74b61a25691c200d3878dd37f7a7
Opcode Fuzzy Hash: 18c05bb4bc090199f817d065fd96529155fd4184d815e3637037513a7f043667
Instruction Fuzzy Hash: 78912771900219EFCB10CFA9CC88AEEBFB8FF49324F148555E915B7296D374A941CB60

Function 00573947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0057396B
CharUpperBuffW.USER32(?,?), ref: 00573A7A
_wcslen.LIBCMT ref: 00573A8A
VariantClear.OLEAUT32(?), ref: 00573C1F

Part of subcall function 00560CDF: VariantInit.OLEAUT32(00000000), ref: 00560D1F
Part of subcall function 00560CDF: VariantCopy.OLEAUT32(?,?), ref: 00560D28
Part of subcall function 00560CDF: VariantClear.OLEAUT32(?), ref: 00560D34

Strings

AUTOIT.ERROR, xrefs: 00573A80, 00573A85
Incorrect Parameter format, xrefs: 005739A6, 00573BA1

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b0618c51d313fcd7894d2af85c7511abdcb20e292eaba485e74a46b1daa3b033
Instruction ID: a5fa21a821770273385c04aeeecb56ffc73cd42aa1f5945f52ed41b43e3259e2
Opcode Fuzzy Hash: b0618c51d313fcd7894d2af85c7511abdcb20e292eaba485e74a46b1daa3b033
Instruction Fuzzy Hash: 0F9168756083059FC704EF24D48596ABBE4FF88324F14886EF8899B351DB30EE45EB92

Function 00574BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0055000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?,?,0055035E), ref: 0055002B
Part of subcall function 0055000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550046
Part of subcall function 0055000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550054
Part of subcall function 0055000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?), ref: 00550064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00574C51
_wcslen.LIBCMT ref: 00574D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00574DCF
CoTaskMemFree.OLE32(?), ref: 00574DDA

Strings

NULL Pointer assignment, xrefs: 00574E23, 00574E52

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 238ead6cbfec1b4e84639642c84cf4d7ad676df7b674385ec4c427c5c43ddee4
Instruction ID: cd9e3f37c6bac56d21f549be7d86cba5542d4e2fb18370a860abf0b5573d1710
Opcode Fuzzy Hash: 238ead6cbfec1b4e84639642c84cf4d7ad676df7b674385ec4c427c5c43ddee4
Instruction Fuzzy Hash: 38913871D0021D9FDF10DFA4D891AEEBBB8BF08314F10856AE919A7281DB349E44DF60

Function 005820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00582183
GetMenuItemCount.USER32(00000000), ref: 005821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005821DD
_wcslen.LIBCMT ref: 00582213
GetMenuItemID.USER32(?,?), ref: 0058224D
GetSubMenu.USER32(?,?), ref: 0058225B

Part of subcall function 00553A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00553A57
Part of subcall function 00553A3D: GetCurrentThreadId.KERNEL32 ref: 00553A5E
Part of subcall function 00553A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005525B3), ref: 00553A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005822E3

Part of subcall function 0055E97B: Sleep.KERNEL32 ref: 0055E9F3

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: a4c1d97b0a55522ed3a67f0344cc6a42cafebb3704a9f2aa78ab2524655e1c77
Instruction ID: f745c9378fa764344d7a8fe5ce7c9d1384b1d358e3844601da03f0d5462cf804
Opcode Fuzzy Hash: a4c1d97b0a55522ed3a67f0344cc6a42cafebb3704a9f2aa78ab2524655e1c77
Instruction Fuzzy Hash: 2F714C75A00205AFCB14EF65C885AAEBFF5BF88314F148469E916FB351DB34A941CBA0

Function 0055AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0055AEF9
GetKeyboardState.USER32(?), ref: 0055AF0E
SetKeyboardState.USER32(?), ref: 0055AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0055AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0055AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0055AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0055B020

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 44ce816090e194e86be5f31bb4cff7ddd7892013432d6a2532015cefa193e4a4
Instruction ID: 2f79d17ec346a98eafacd813a555e189f0e16a3f46c9cf48e60ac0838278f7a0
Opcode Fuzzy Hash: 44ce816090e194e86be5f31bb4cff7ddd7892013432d6a2532015cefa193e4a4
Instruction Fuzzy Hash: 085104A06043D13DFB3242348C69BBABEA96F06305F08858AE9D9554D3D398ACCCD361

Function 0055ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0055AD19
GetKeyboardState.USER32(?), ref: 0055AD2E
SetKeyboardState.USER32(?), ref: 0055AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0055ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0055ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0055AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0055AE38

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d64a938074b66d71ba86335b86d989875427caf28455e7bbe55e103e5a1fa8d2
Instruction ID: e243678e07a9c34d18f8413dfddd69b37db9465e8ec1bacfeaf0f32f5c91c2c5
Opcode Fuzzy Hash: d64a938074b66d71ba86335b86d989875427caf28455e7bbe55e103e5a1fa8d2
Instruction Fuzzy Hash: D15108A15047D53DFB3393348C66B7ABEA87B45302F08868AE9D5568C2D394EC8CD762

Function 0052542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00533CD6,?,?,?,?,?,?,?,?,00525BA3,?,?,00533CD6,?,?), ref: 00525470
__fassign.LIBCMT ref: 005254EB
__fassign.LIBCMT ref: 00525506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00533CD6,00000005,00000000,00000000), ref: 0052552C
WriteFile.KERNEL32(?,00533CD6,00000000,00525BA3,00000000,?,?,?,?,?,?,?,?,?,00525BA3,?), ref: 0052554B
WriteFile.KERNEL32(?,?,00000001,00525BA3,00000000,?,?,?,?,?,?,?,?,?,00525BA3,?), ref: 00525584

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: ab8f9c63cb740525c0e727126bc9d47ca444b41ad563a5281b79dfaaf0990ea6
Instruction ID: c4a0c4033cf1dd82cad9841fd81741100a9ed1a911799fd9e7fbcbc6be865c7c
Opcode Fuzzy Hash: ab8f9c63cb740525c0e727126bc9d47ca444b41ad563a5281b79dfaaf0990ea6
Instruction Fuzzy Hash: FE51B171A006199FDB10CFA8E885AEEBFF9FF1A301F14451AF955E72D1E6309A41CB60

Function 005710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0057304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0057307A
Part of subcall function 0057304E: _wcslen.LIBCMT ref: 0057309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00571112
WSAGetLastError.WSOCK32 ref: 00571121
WSAGetLastError.WSOCK32 ref: 005711C9
closesocket.WSOCK32(00000000), ref: 005711F9

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 6cd4e1b775ffed42966668538635dad0cb5bfe31128e12a3fdab2eda9a9d5f6a
Instruction ID: e9b0c1fb97e81a9590989159dd5157cb62bbf86167a8fbf757add90597752f32
Opcode Fuzzy Hash: 6cd4e1b775ffed42966668538635dad0cb5bfe31128e12a3fdab2eda9a9d5f6a
Instruction Fuzzy Hash: 30410331600608AFDB109F28D884BA9BFE9FF45328F54C059FD0AAF291C774AD45DBA5

Function 0055CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0055DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0055CF22,?), ref: 0055DDFD

Part of subcall function 0055DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0055CF22,?), ref: 0055DE16

lstrcmpiW.KERNEL32(?,?), ref: 0055CF45
MoveFileW.KERNEL32(?,?), ref: 0055CF7F
_wcslen.LIBCMT ref: 0055D005
_wcslen.LIBCMT ref: 0055D01B
SHFileOperationW.SHELL32(?), ref: 0055D061

Strings

\*.*, xrefs: 0055CFF3

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 56862fa7c3b8a8c2d1a1684afd04e12eff2be8e3c25b58f658980caae2da8276
Instruction ID: 799d8d923e72dd5e914bf7ff03680f90a3e7499909945f3354edc6e0a583ab7a
Opcode Fuzzy Hash: 56862fa7c3b8a8c2d1a1684afd04e12eff2be8e3c25b58f658980caae2da8276
Instruction Fuzzy Hash: BA4144719052195FDF12EBA4D995ADDBFB8BF48381F0000E7E905EB141EA34A788CB50

Function 00582DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00582E1C
GetWindowLongW.USER32(?,000000F0), ref: 00582E4F
GetWindowLongW.USER32(?,000000F0), ref: 00582E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00582EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00582EE0
GetWindowLongW.USER32(?,000000F0), ref: 00582EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00582F0B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8f4c55b56e5e3c009d78baece423fe69addf12410e43a8c21c7597f32f1964bc
Instruction ID: 1883cbe420c706ec1a571a4735707ef00f147405ea494dd17a19b3a282ebec61
Opcode Fuzzy Hash: 8f4c55b56e5e3c009d78baece423fe69addf12410e43a8c21c7597f32f1964bc
Instruction Fuzzy Hash: F3312430604640AFDB21EF19DC84F653FE8FBAA710F141165F900AF2B2CB71A848EB18

Function 00557726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00557769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0055778F
SysAllocString.OLEAUT32(00000000), ref: 00557792
SysAllocString.OLEAUT32(?), ref: 005577B0
SysFreeString.OLEAUT32(?), ref: 005577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005577DE
SysAllocString.OLEAUT32(?), ref: 005577EC

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fa75cac6a4e0238cba9dc796da81bffab8e213a025d0569f6438a5cc5763df70
Instruction ID: b42665c6a2a3c05dc8c67a88e247d895d5440c25b10c0c2410fbb58cd674cdd6
Opcode Fuzzy Hash: fa75cac6a4e0238cba9dc796da81bffab8e213a025d0569f6438a5cc5763df70
Instruction Fuzzy Hash: 92219F76614219AFDF10DFA8EC88CBA7BACFB0D3657048426BD14DB1A0D6709C498760

Function 005577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00557842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00557868
SysAllocString.OLEAUT32(00000000), ref: 0055786B
SysAllocString.OLEAUT32 ref: 0055788C
SysFreeString.OLEAUT32 ref: 00557895
StringFromGUID2.OLE32(?,?,00000028), ref: 005578AF
SysAllocString.OLEAUT32(?), ref: 005578BD

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e53a3944a3299aedba4939708f8fee0a51e2532cc105e6b906c47d7336ae3f65
Instruction ID: 76d1660f988e9d83e28bcd7cbd61ee7558e0a86d6ae15cfc7313cb0c1dc93225
Opcode Fuzzy Hash: e53a3944a3299aedba4939708f8fee0a51e2532cc105e6b906c47d7336ae3f65
Instruction Fuzzy Hash: 09218131604118AFDF109BA8EC9CDAA7BACFB0C3617108126BD15DB2A1D670DC49CB74

Function 005604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0056052E

Strings

nul, xrefs: 00560567

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 68169ce65331f6e4791e3a3e73e2e9c7fbfbc9aca7dfb1ebe9a8600d23259afd
Instruction ID: 2dd1017d706fab86ad719139c997ad94116bafbecf45225f329b64205c54d1d4
Opcode Fuzzy Hash: 68169ce65331f6e4791e3a3e73e2e9c7fbfbc9aca7dfb1ebe9a8600d23259afd
Instruction Fuzzy Hash: BE215C75600305ABDF209F29DC44AAB7FA4BF64724F205A19F8A2E72E0E7709944DF20

Function 005605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00560601

Strings

nul, xrefs: 00560639

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7d699386046f7657db1b2be9c6dadf69f37da132bc853f74976858236fe0ad80
Instruction ID: 31b906b6bb4d403c0beff12745400c19514f80461cacb76a8a7304744f051543
Opcode Fuzzy Hash: 7d699386046f7657db1b2be9c6dadf69f37da132bc853f74976858236fe0ad80
Instruction Fuzzy Hash: 7F2151755003059BDB209F69DC44AAB7FE4BF95720F201A19FCA1E72E0D7B09961DB20

Function 005840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004F604C
Part of subcall function 004F600E: GetStockObject.GDI32(00000011), ref: 004F6060
Part of subcall function 004F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 004F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00584112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0058411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0058412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00584139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00584145

Strings

Msctls_Progress32, xrefs: 005840E3

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f02a544d83e7568ae914d654fe450e13d13d9ea952d7daf483c5e46d4a6bcf5c
Instruction ID: 37c167e4c2c78ac3e6aa5d1e98b997d236c7441cfda94794a3910821aa614617
Opcode Fuzzy Hash: f02a544d83e7568ae914d654fe450e13d13d9ea952d7daf483c5e46d4a6bcf5c
Instruction Fuzzy Hash: 671190B215021EBEEF119F64CC85EE77F5DFF18798F014111BA18A6090CA769C21DBA4

Function 0052D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0052D7A3: _free.LIBCMT ref: 0052D7CC

_free.LIBCMT ref: 0052D82D

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 0052D838
_free.LIBCMT ref: 0052D843
_free.LIBCMT ref: 0052D897
_free.LIBCMT ref: 0052D8A2
_free.LIBCMT ref: 0052D8AD
_free.LIBCMT ref: 0052D8B8

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 3dbe6212fc4485eb7f410a970959c79be8919209bf0380ab29a7a80fe44a6126
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: B3113072540725BAD521BFB0EC4BFCB7FECBF86700F440815B29DA60D2D66DB5854660

Function 0055DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0055DA74
LoadStringW.USER32(00000000), ref: 0055DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0055DA91
LoadStringW.USER32(00000000), ref: 0055DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0055DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0055DAB9

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: ee44e8acaf1f155411912a177c20a2926538283d0b8e2ad17ce737a0c472a15d
Instruction ID: d2c2601c55b35c1a7ffa06019a5ec8632870077869c77148b81507dfd9d88921
Opcode Fuzzy Hash: ee44e8acaf1f155411912a177c20a2926538283d0b8e2ad17ce737a0c472a15d
Instruction Fuzzy Hash: EC0162F25002087FEB10ABA4DD89EEB3A6CF708301F4014A6BB06F2041E6749E888F74

Function 0056096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0141E590,0141E590), ref: 0056097B
EnterCriticalSection.KERNEL32(0141E570,00000000), ref: 0056098D
TerminateThread.KERNEL32(?,000001F6), ref: 0056099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 005609A9
CloseHandle.KERNEL32(?), ref: 005609B8
InterlockedExchange.KERNEL32(0141E590,000001F6), ref: 005609C8
LeaveCriticalSection.KERNEL32(0141E570), ref: 005609CF

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8b343081d708f913b3d32a4e90cc828299d2a29f2252de6dea2a38be5577746f
Instruction ID: f4cbda73cab2cd8ffb0c1e5224cbe517bbe089c12e0b3fc7f8209d92167989da
Opcode Fuzzy Hash: 8b343081d708f913b3d32a4e90cc828299d2a29f2252de6dea2a38be5577746f
Instruction Fuzzy Hash: A9F01D31442902ABD7415B94EE8CAD67F25BF11712F403015F502618E0C7749469DFA0

Function 00571C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00571DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00571DE1
WSAGetLastError.WSOCK32 ref: 00571DF2
htons.WSOCK32(?,?,?,?,?), ref: 00571EDB
inet_ntoa.WSOCK32(?), ref: 00571E8C

Part of subcall function 005539E8: _strlen.LIBCMT ref: 005539F2

Part of subcall function 00573224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0056EC0C), ref: 00573240

_strlen.LIBCMT ref: 00571F35

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 11635b37164bca5982f588a1f6479ee52079a17d2ef5bbed23295cc2f1b8a65c
Instruction ID: 3e718931263d1c0f4564ad6088b25149faa8b3e8f6cf58e65b691467263f5b84
Opcode Fuzzy Hash: 11635b37164bca5982f588a1f6479ee52079a17d2ef5bbed23295cc2f1b8a65c
Instruction Fuzzy Hash: A5B1E070204700AFC324EF29D895E3A7BA9BF84318F54894CF55A5B2E2CB31ED45CBA5

Function 005201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005200D6
__allrem.LIBCMT ref: 005200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0052010B
__allrem.LIBCMT ref: 00520122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00520140

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: fdcb23850a64eaa0212bbbec82f343c887ce09a75742cbe89d9d3ef85037e231
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 72812776A01B269BF7209F38DC45BAB7BE9BF82320F24453AF511D62C2E7B0D9418750

Function 005261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005182D9,005182D9,?,?,?,0052644F,00000001,00000001,8BE85006), ref: 00526258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0052644F,00000001,00000001,8BE85006,?,?,?), ref: 005262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005263D8
__freea.LIBCMT ref: 005263E5

Part of subcall function 00523820: RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

__freea.LIBCMT ref: 005263EE
__freea.LIBCMT ref: 00526413

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: ac409ea5a3b13ea1375297f0de49ace24e43ff4d38ef74baaded3a1151e66508
Instruction ID: 737eadab35e5d1fc694a60baf68060e9b1535a0fa29bcf37efac769809aca680
Opcode Fuzzy Hash: ac409ea5a3b13ea1375297f0de49ace24e43ff4d38ef74baaded3a1151e66508
Instruction Fuzzy Hash: 9251CE72600226ABEB258E64EC85EAF7FA9FF96710F154A29FC05D71C0DB34DC44C6A0

Function 0057BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 0057C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057C9F1
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA68
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0057BD25
RegCloseKey.ADVAPI32(00000000), ref: 0057BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0057BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0057BDF3
RegCloseKey.ADVAPI32(?), ref: 0057BDFF

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: d8b20198d3c3059e87aded11670db26b65a792de272f87fc48ea6197350fee94
Instruction ID: 15e37082e9d0915acecd01726a15784ddc766152c88cfb5cbf34eebbfec57708
Opcode Fuzzy Hash: d8b20198d3c3059e87aded11670db26b65a792de272f87fc48ea6197350fee94
Instruction Fuzzy Hash: 5F81AA70208241AFD714DF24D885F2ABBE9FF84348F14896DF5598B2A2DB31ED05DB92

Function 0054F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0054F7B9
SysAllocString.OLEAUT32(00000001), ref: 0054F860
VariantCopy.OLEAUT32(0054FA64,00000000), ref: 0054F889
VariantClear.OLEAUT32(0054FA64), ref: 0054F8AD
VariantCopy.OLEAUT32(0054FA64,00000000), ref: 0054F8B1
VariantClear.OLEAUT32(?), ref: 0054F8BB

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: a2160bf8b15420bd58837f5ce6f00147f568e801ab4e1aa84b1dfb54dd136355
Instruction ID: 8992eaee210485d61d0f3faec98c3d22d722b4e290d84537ede89ded14eb7014
Opcode Fuzzy Hash: a2160bf8b15420bd58837f5ce6f00147f568e801ab4e1aa84b1dfb54dd136355
Instruction Fuzzy Hash: ED51EA31A00311BACF24AF69D895BB9BBA4FF85318F145867E905DF291D7748C40C7A6

Function 0056910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 004F7620: _wcslen.LIBCMT ref: 004F7625

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005694E5
_wcslen.LIBCMT ref: 00569506
_wcslen.LIBCMT ref: 0056952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00569585

Strings

X, xrefs: 00569412

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: b3435cc1b1abb6378d2381113cfa03852649ac38fb24b4d25a85ed239bd51ee0
Instruction ID: 9bd1d210f22fee874e9a2ada4d1951cb8f26fc20652b2ab841e23469133d342b
Opcode Fuzzy Hash: b3435cc1b1abb6378d2381113cfa03852649ac38fb24b4d25a85ed239bd51ee0
Instruction Fuzzy Hash: 23E1B131604341DFD724EF25C485A6ABBE4FF85318F04896DF9899B2A2DB34DD05CB92

Function 0050920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

BeginPaint.USER32(?,?,?), ref: 00509241
GetWindowRect.USER32(?,?), ref: 005092A5
ScreenToClient.USER32(?,?), ref: 005092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005092D3
EndPaint.USER32(?,?,?,?,?), ref: 00509321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005471EA

Part of subcall function 00509339: BeginPath.GDI32(00000000), ref: 00509357

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 9828885408a05f3f1fe63bd79c00f62e3230c4021dcf80c4041fee6bfb9d87bb
Instruction ID: 312c4b34ef24f1227f7115fee108c68535016a792fffa24513f16abebf38a108
Opcode Fuzzy Hash: 9828885408a05f3f1fe63bd79c00f62e3230c4021dcf80c4041fee6bfb9d87bb
Instruction Fuzzy Hash: 84419D70104701AFD721DF24CC88FAA7FB8FB9A324F140629F994972E2C7719849EB61

Function 005607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0056080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00560847
EnterCriticalSection.KERNEL32(?), ref: 00560863
LeaveCriticalSection.KERNEL32(?), ref: 005608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00560921

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 1013cbb4ab12c1d5b56cfe348057971e2c5edaab8118c2e1066cdb07e3a6262a
Instruction ID: 378923174b4d61bf996b3d35f13f9978c979f59d55484d8d8da663c35a3dac02
Opcode Fuzzy Hash: 1013cbb4ab12c1d5b56cfe348057971e2c5edaab8118c2e1066cdb07e3a6262a
Instruction Fuzzy Hash: B7414871900205EBDF14EF54DC89AAA7BB9FF44310F1440A9ED01AB297DB30EE65DBA0

Function 005881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0054F3AB,00000000,?,?,00000000,?,0054682C,00000004,00000000,00000000), ref: 0058824C
EnableWindow.USER32(?,00000000), ref: 00588272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005882D1
ShowWindow.USER32(?,00000004), ref: 005882E5
EnableWindow.USER32(?,00000001), ref: 0058830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0058832F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ebd046c00fe98e1c8751b07573bdce898518f679a789db216f157131c89f1605
Instruction ID: c183bea16e00793ce0deb0960ad7ddc5aa98bfef3d0ec6672b406db4f3f80278
Opcode Fuzzy Hash: ebd046c00fe98e1c8751b07573bdce898518f679a789db216f157131c89f1605
Instruction Fuzzy Hash: 8641C438601A40AFDB22EF15CC99FB47FE0FB16714F581168ED09AF262CB31A845DB50

Function 00554C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00554C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00554CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00554CEA
_wcslen.LIBCMT ref: 00554D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00554D10
_wcsstr.LIBVCRUNTIME ref: 00554D1A

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: c75507d795dad17f9d11c0fb45764b9e247643417c4dc80c541efe7e90495bce
Instruction ID: ce317a7af72ba3367614fc80029eb14353b3357d2feb817457db9e3f1eeba64f
Opcode Fuzzy Hash: c75507d795dad17f9d11c0fb45764b9e247643417c4dc80c541efe7e90495bce
Instruction Fuzzy Hash: 4721C531204201BBEB259B2ADC59A7F7FACEF85755F10403AFC05DE191EA61DC849BA0

Function 0056581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F3A97,?,?,004F2E7F,?,?,?,00000000), ref: 004F3AC2

_wcslen.LIBCMT ref: 0056587B
CoInitialize.OLE32(00000000), ref: 00565995
CoCreateInstance.OLE32(0058FCF8,00000000,00000001,0058FB68,?), ref: 005659AE
CoUninitialize.OLE32 ref: 005659CC

Strings

.lnk, xrefs: 00565876, 005658C1, 00565985

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 6446dff9b034399a4ac94334156ecddc54f63b72ab479b8de177cd32a50fc5d2
Instruction ID: aeb4f912193719970a418a25468c99204a6ce384d741fdaa7193d51aadb335a0
Opcode Fuzzy Hash: 6446dff9b034399a4ac94334156ecddc54f63b72ab479b8de177cd32a50fc5d2
Instruction Fuzzy Hash: CCD172706087059FC714DF25C480A2ABBE5FF89718F14885EF98A9B361EB35EC45CB92

Function 0055175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00550FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00550FCA
Part of subcall function 00550FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00550FD6
Part of subcall function 00550FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00550FE5
Part of subcall function 00550FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00550FEC
Part of subcall function 00550FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00551002

GetLengthSid.ADVAPI32(?,00000000,00551335), ref: 005517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005517BA
HeapAlloc.KERNEL32(00000000), ref: 005517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005517DA
GetProcessHeap.KERNEL32(00000000,00000000,00551335), ref: 005517EE
HeapFree.KERNEL32(00000000), ref: 005517F5

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 26efad846c63e57738e42b6c6e2a8dca805a66b83ac37db0791ba3be3980190e
Instruction ID: 3d40541e99c97819995c6280f5d12f6db01f643f1ac2543b25646bbb1c795d2a
Opcode Fuzzy Hash: 26efad846c63e57738e42b6c6e2a8dca805a66b83ac37db0791ba3be3980190e
Instruction Fuzzy Hash: 6F11BE31520A05FFDB149FA8CC99BAE7FA9FF49356F10411AFC41A7210C735A948DB68

Function 005514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00551506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00551515
CloseHandle.KERNEL32(00000004), ref: 00551520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0055154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00551563

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 65d91191d709f816eb544c816931edba903f3d824f59a08f176c42ca4d2b903b
Instruction ID: 016a3142e12504b8ac31d17696d8cfcc22efb78182001d0e2a2f77118b122c66
Opcode Fuzzy Hash: 65d91191d709f816eb544c816931edba903f3d824f59a08f176c42ca4d2b903b
Instruction Fuzzy Hash: 10116472100209EBDF118FA8ED09FDE3FA9FB48749F044029FE05A2060D3758E68EB64

Function 00513382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00513379,00512FE5), ref: 00513390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0051339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005133B7
SetLastError.KERNEL32(00000000,?,00513379,00512FE5), ref: 00513409

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 43e01bdd1a0fd5b0729ac51907a066e7779ec3d3e2e5041f0b4c002e65a67b0f
Instruction ID: a0a8070b6fc4b5b235475cdc924311636a741493aa95cee7a5bd23387908aa37
Opcode Fuzzy Hash: 43e01bdd1a0fd5b0729ac51907a066e7779ec3d3e2e5041f0b4c002e65a67b0f
Instruction Fuzzy Hash: 87012832308312BEBB143B747CED5DB2E54FB653757200729F420841F0EF516D8AA558

Function 00522D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00525686,00533CD6,?,00000000,?,00525B6A,?,?,?,?,?,0051E6D1,?,005B8A48), ref: 00522D78
_free.LIBCMT ref: 00522DAB
_free.LIBCMT ref: 00522DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0051E6D1,?,005B8A48,00000010,004F4F4A,?,?,00000000,00533CD6), ref: 00522DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0051E6D1,?,005B8A48,00000010,004F4F4A,?,?,00000000,00533CD6), ref: 00522DEC
_abort.LIBCMT ref: 00522DF2

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a92bed2dc33b1d0feda63cba443cc0d394d6664814cfd7b365d309eb12d61e35
Instruction ID: e72b77b95c639c52d74d0568bcc8b4ea1226be1d6ee567c3cabd2e925fe91288
Opcode Fuzzy Hash: a92bed2dc33b1d0feda63cba443cc0d394d6664814cfd7b365d309eb12d61e35
Instruction Fuzzy Hash: C8F0C83E50463277C3122738BC0EE5B2E59BFD37A1F240928F829E21D2EE3498475270

Function 00588A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00509639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00509693
Part of subcall function 00509639: SelectObject.GDI32(?,00000000), ref: 005096A2
Part of subcall function 00509639: BeginPath.GDI32(?), ref: 005096B9
Part of subcall function 00509639: SelectObject.GDI32(?,00000000), ref: 005096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00588A4E
LineTo.GDI32(?,00000003,00000000), ref: 00588A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00588A70
LineTo.GDI32(?,00000000,00000003), ref: 00588A80
EndPath.GDI32(?), ref: 00588A90
StrokePath.GDI32(?), ref: 00588AA0

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7236b957968a242e844475576cb8bb253c50305a3246931b9a6815ac9a88afbe
Instruction ID: 9547a88ca9545652a6a237982ff1f3a00f2481d6423c9a792215f60bd680a802
Opcode Fuzzy Hash: 7236b957968a242e844475576cb8bb253c50305a3246931b9a6815ac9a88afbe
Instruction Fuzzy Hash: A5110976000109FFDB129F90DC88EAA7F6DEB19390F008052BE19AA1A1C7719D59EBA0

Function 005551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00555218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00555229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00555230
ReleaseDC.USER32(00000000,00000000), ref: 00555238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0055524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00555261

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b0fffd8cdfed8e7b577af2c33f83dd6ca26c4f552ca8283a61674fe2a022ceb9
Instruction ID: 62553dab48c5bcb0c8e40e46543be15a8df5c3cc0d58a37de8bb559c3bb5eb27
Opcode Fuzzy Hash: b0fffd8cdfed8e7b577af2c33f83dd6ca26c4f552ca8283a61674fe2a022ceb9
Instruction Fuzzy Hash: 1A014475A00715BBEB109BB69C49A5EBF78FF54751F044065FE04E7281D6709808DB60

Function 004F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 004F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 004F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 004F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 004F1C22

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2c022750fd6d047b42c91e1885be1b88a31f28640a1a03b022cad67b80377421
Instruction ID: 0108bba8de721f999fc51ef1c4afd3888e957bfd08d65140bbe2fc876ca1a7bf
Opcode Fuzzy Hash: 2c022750fd6d047b42c91e1885be1b88a31f28640a1a03b022cad67b80377421
Instruction Fuzzy Hash: 45016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C4B941C7F5A868CBE5

Function 0055EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0055EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0055EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0055EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055EB75

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6b58f84c9dc21935ea9d302ef6dbbb374195e7f02cf1ecc05a5380cf1fbbc918
Instruction ID: 7f565e3adc753139f8a0d5234090b01b07d85dcaea5d04c03637deee55234a8b
Opcode Fuzzy Hash: 6b58f84c9dc21935ea9d302ef6dbbb374195e7f02cf1ecc05a5380cf1fbbc918
Instruction Fuzzy Hash: 5DF06D72100118BBE62057529C0EEAB3E7CEBDAB11F001168FA01E1091E7B01A09E7B4

Function 00547439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00547452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00547469
GetWindowDC.USER32(?), ref: 00547475
GetPixel.GDI32(00000000,?,?), ref: 00547484
ReleaseDC.USER32(?,00000000), ref: 00547496
GetSysColor.USER32(00000005), ref: 005474B0

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: e3af4f1043fe3df8c50d2ada4e8b75e915d094d5c7b3c21c2dc90049da4f5ba8
Instruction ID: 2a3ec8417a4dd379866d4a7ffa6f0073ae205b66c2dd13b8fb205bf13de5fdde
Opcode Fuzzy Hash: e3af4f1043fe3df8c50d2ada4e8b75e915d094d5c7b3c21c2dc90049da4f5ba8
Instruction Fuzzy Hash: 19017831400609EFDB105FA4EC08BEA7FB5FF18321F1014A0FD16A21A1CB311E45AB60

Function 00551874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0055187F
UnloadUserProfile.USERENV(?,?), ref: 0055188B
CloseHandle.KERNEL32(?), ref: 00551894
CloseHandle.KERNEL32(?), ref: 0055189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005518A5
HeapFree.KERNEL32(00000000), ref: 005518AC

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 2929cc0a530001494e787ad6556978beca4daa7026292d275b633b144cf34893
Instruction ID: 21a86487d4250e4f4dd1b8d955ef9b7f416c6268cfc34b7755968c2997259cfc
Opcode Fuzzy Hash: 2929cc0a530001494e787ad6556978beca4daa7026292d275b633b144cf34893
Instruction Fuzzy Hash: 22E0E536004101BBDB015FA1ED0CD0ABF39FF69B22B109624FA25A1474CB329425FF60

Function 004FBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004FBEB3

Strings

D%\D%\, xrefs: 004FBCA5
D%\, xrefs: 004FBDED, 004FBD91, 004FBD1B
D%\, xrefs: 004FBE9A
D%\, xrefs: 004FBCA2

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%\$D%\$D%\$D%\D%\
API String ID: 1385522511-524531416
Opcode ID: 6df645743af1e2ebe853b45ac12f16a8dde07a8e1e953b7b980b5787d9a26581
Instruction ID: 17efc7d9968bb4c20802f422eb2c5716171583a6fe28ac21402c0cc29c7c68f2
Opcode Fuzzy Hash: 6df645743af1e2ebe853b45ac12f16a8dde07a8e1e953b7b980b5787d9a26581
Instruction Fuzzy Hash: 64912875A0020ACFCB18CF58C090ABABBF1FF5A310F24816EDA55AB350D735A981DBD5

Function 00577B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00510242: EnterCriticalSection.KERNEL32(005C070C,005C1884,?,?,0050198B,005C2518,?,?,?,004F12F9,00000000), ref: 0051024D
Part of subcall function 00510242: LeaveCriticalSection.KERNEL32(005C070C,?,0050198B,005C2518,?,?,?,004F12F9,00000000), ref: 0051028A

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 005100A3: __onexit.LIBCMT ref: 005100A9

__Init_thread_footer.LIBCMT ref: 00577BFB

Part of subcall function 005101F8: EnterCriticalSection.KERNEL32(005C070C,?,?,00508747,005C2514), ref: 00510202
Part of subcall function 005101F8: LeaveCriticalSection.KERNEL32(005C070C,?,00508747,005C2514), ref: 00510235

Strings

G, xrefs: 00577C7F
Variable must be of type 'Object'., xrefs: 00577C3A
5, xrefs: 00577C78
+TT, xrefs: 00577E2E

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TT$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2382484226
Opcode ID: ff78ba5f16b69ad32e6725120891832898c3a8f095dfc436e8a9864036a236c8
Instruction ID: b60833b321c9b855aa48b42e6b0201fdb109bd678d70d1280737402a86a10089
Opcode Fuzzy Hash: ff78ba5f16b69ad32e6725120891832898c3a8f095dfc436e8a9864036a236c8
Instruction Fuzzy Hash: 32918C70A04209AFCB14EF94E895DBDBFB5FF48304F108459F81AAB291DB71AE41EB50

Function 0055C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F7620: _wcslen.LIBCMT ref: 004F7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0055C6EE
_wcslen.LIBCMT ref: 0055C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0055C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0055C7CA

Strings

0, xrefs: 0055C6AF

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: dcad7e39612875b523e16ba72f487b8143a3c47c4362d3ecbca6675c58c85af0
Instruction ID: 563edcc0210f8fcbc6b711e486bc313215267c35cb01d3c9e55a1390a7b2f563
Opcode Fuzzy Hash: dcad7e39612875b523e16ba72f487b8143a3c47c4362d3ecbca6675c58c85af0
Instruction Fuzzy Hash: 0551DE716243019FD7109E28C8A4B6ABFE8FB89315F040A2EFD95E3591DB74D908CB96

Function 0057AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0057AEA3

Part of subcall function 004F7620: _wcslen.LIBCMT ref: 004F7625

GetProcessId.KERNEL32(00000000), ref: 0057AF38
CloseHandle.KERNEL32(00000000), ref: 0057AF67

Strings

@, xrefs: 0057AE72
<, xrefs: 0057AE6B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 36e6a2c118733f67f5321c6b101ac2d7dedf32d6da8bfbfc04dfab96564ba36b
Instruction ID: e09ec90fee08128e5e0ac5b499d0817ef5f9e5ed82f434668b44f53464e5785b
Opcode Fuzzy Hash: 36e6a2c118733f67f5321c6b101ac2d7dedf32d6da8bfbfc04dfab96564ba36b
Instruction Fuzzy Hash: 56718974A00219DFCB14DF55D484AAEBBF4FF48318F04849AE81AAB392C778ED45DB91

Function 0055719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00557206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0055723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0055724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005572CF

Strings

DllGetClassObject, xrefs: 00557242

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 69fe0fe3d47617963285c108e5f849d665cb7f3f66f003f54022a8b6667d2f17
Instruction ID: b76126e1d642c7c76da98000d2b55dd3649e5973ace13e3edc723a0b21fe6dde
Opcode Fuzzy Hash: 69fe0fe3d47617963285c108e5f849d665cb7f3f66f003f54022a8b6667d2f17
Instruction Fuzzy Hash: D8419175604208EFDB15CF54D894A9A7FA9FF48311F2480AABD059F20AD7B0DA49DBA0

Function 00582F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00582F8D
LoadLibraryW.KERNEL32(?), ref: 00582F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00582FA9
DestroyWindow.USER32(?), ref: 00582FB1

Strings

SysAnimate32, xrefs: 00582F68

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: c5a9df02fe4c9887fc2e10e012473548c6ccd1c11cb4537729a59cbdfc0fb73a
Instruction ID: f9b708de27533462a715b01a900cba4b72a7ee68ec29a4f00bbaeb153f0766cb
Opcode Fuzzy Hash: c5a9df02fe4c9887fc2e10e012473548c6ccd1c11cb4537729a59cbdfc0fb73a
Instruction Fuzzy Hash: 43218871204209ABEB106F649C86EBB3FB9FF59368F100628FE50E6190D671DC51EB60

Function 00514D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00514D1E,005228E9,?,00514CBE,005228E9,005B88B8,0000000C,00514E15,005228E9,00000002), ref: 00514D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00514DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00514D1E,005228E9,?,00514CBE,005228E9,005B88B8,0000000C,00514E15,005228E9,00000002,00000000), ref: 00514DC3

Strings

mscoree.dll, xrefs: 00514D86
CorExitProcess, xrefs: 00514D98

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3dbe3f3354e3da9a1ddad49dcce0e5a2888249cf655f858f6f04f44ea3811917
Instruction ID: 8e8f1154d2e48608115675e70f31cca0662a86be3c0858602a2d33e4f99b4d46
Opcode Fuzzy Hash: 3dbe3f3354e3da9a1ddad49dcce0e5a2888249cf655f858f6f04f44ea3811917
Instruction Fuzzy Hash: 88F03C35A40208ABEB119B90EC49BEDBFA5FF54752F0011A8B905A62A0CB705989DFA1

Function 004F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,004F4EDD,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004F4EAE
FreeLibrary.KERNEL32(00000000,?,?,004F4EDD,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4EC0

Strings

kernel32.dll, xrefs: 004F4E94
Wow64DisableWow64FsRedirection, xrefs: 004F4EA8

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: c0149ec74392b65d10fcac10dad7d4b1e71d0ca77d541319dc7379a9cda12280
Instruction ID: f690807cf26a7227823f3a3772cbac17e437c4bf32ccffed9ee5a9ed4952a67c
Opcode Fuzzy Hash: c0149ec74392b65d10fcac10dad7d4b1e71d0ca77d541319dc7379a9cda12280
Instruction Fuzzy Hash: 93E04636A02A225BD3221B25AC5CA6B6A58AFD2B63B050116AE00F2340DF788909D2B4

Function 004F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00533CDE,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004F4E74
FreeLibrary.KERNEL32(00000000,?,?,00533CDE,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E87

Strings

kernel32.dll, xrefs: 004F4E5B
Wow64RevertWow64FsRedirection, xrefs: 004F4E6E

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 193d2fcfa3e63118cc0d87c4e4df39112ef6a967635902c407ca950f88783e71
Instruction ID: 9a14434c4a2f7c895d8af7114585d2a0d1f6869e0c4647cd371256f5c67256ee
Opcode Fuzzy Hash: 193d2fcfa3e63118cc0d87c4e4df39112ef6a967635902c407ca950f88783e71
Instruction Fuzzy Hash: 1DD0C231602A215787321B247C0CE9B2E18BFC1F213450212BE00B6210CF38CD09D7F4

Function 00562947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00562C05
DeleteFileW.KERNEL32(?), ref: 00562C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00562C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00562CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00562CC0

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 17ef426f57c9a35d27d4624d90876617e9eb5371d85cef7f61b1ea277da12cf0
Instruction ID: 429e785b9e7b309311a6d5dc76f251f53ffe9cc49ee2de37fd634faccdb4d44c
Opcode Fuzzy Hash: 17ef426f57c9a35d27d4624d90876617e9eb5371d85cef7f61b1ea277da12cf0
Instruction Fuzzy Hash: 38B14E7190051EABDF21DBA4CC89EEEBBBDFF48354F1040A6F609E7151EA349A448F61

Function 0057A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0057A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0057A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0057A468
CloseHandle.KERNEL32(?), ref: 0057A63D

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 4570cc7dda3fec6bc2ace8cf07c660dde2d937d1d292876c966c4e790ebfab91
Instruction ID: 0d4944b50a5568cb5a6bfd4d31eafcc35c6dfcf3c98c6704e5a920cebf720cbc
Opcode Fuzzy Hash: 4570cc7dda3fec6bc2ace8cf07c660dde2d937d1d292876c966c4e790ebfab91
Instruction Fuzzy Hash: D0A1B171604301AFDB20DF24D886F2ABBE5BF84714F14881DF95A9B2D2D7B4EC418B96

Function 0052BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00593700), ref: 0052BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,005C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0052BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,005C1270,000000FF,?,0000003F,00000000,?), ref: 0052BC36
_free.LIBCMT ref: 0052BB7F

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 0052BD4B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: aef01aaa7c521de66e37dec8e038f2031f893b3089bf4d7ea62966da26b31f5b
Instruction ID: 5ccdf52e7bf502b96e3132c37c66dc2d449e634fe085628033fd4c7c99d92096
Opcode Fuzzy Hash: aef01aaa7c521de66e37dec8e038f2031f893b3089bf4d7ea62966da26b31f5b
Instruction Fuzzy Hash: 2D51297590062AAFEB10DF65AC859AEBFBCFF93310F10066AE410E71D1DB309E449750

Function 0055E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0055DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0055CF22,?), ref: 0055DDFD

Part of subcall function 0055DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0055CF22,?), ref: 0055DE16

Part of subcall function 0055E199: GetFileAttributesW.KERNEL32(?,0055CF95), ref: 0055E19A

lstrcmpiW.KERNEL32(?,?), ref: 0055E473
MoveFileW.KERNEL32(?,?), ref: 0055E4AC
_wcslen.LIBCMT ref: 0055E5EB
_wcslen.LIBCMT ref: 0055E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0055E650

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 25105f2e7607296ffb73338d6ac997854ddc721e99f1f0356a5757f73d5ce0ef
Instruction ID: 42d21bce0d76f36e74f3739dc1e954d0323b059d66057c5d1060a37aec2c96ac
Opcode Fuzzy Hash: 25105f2e7607296ffb73338d6ac997854ddc721e99f1f0356a5757f73d5ce0ef
Instruction Fuzzy Hash: 4D5170B24083459BDB28EB90D8959DB7BECAF84341F00091FFA89D3151EF35A68C8766

Function 0057B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 0057C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057C9F1
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA68
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0057BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0057BB63
RegCloseKey.ADVAPI32(?,?), ref: 0057BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0057BBB3

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 90bf3e372788b76a842338ec830fef7481275bb9e726927b3f6f0bd9491ea2d2
Instruction ID: 4edd9fbec5908848d42e7f14501ac65a2aaa0f962e980790c8e959e2c1d62f1f
Opcode Fuzzy Hash: 90bf3e372788b76a842338ec830fef7481275bb9e726927b3f6f0bd9491ea2d2
Instruction Fuzzy Hash: 9361CC70208241AFD314EF24D494F2ABBE5FF84348F14896DF4998B2A2CB31ED45DB92

Function 00558BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00558BCD
VariantClear.OLEAUT32 ref: 00558C3E
VariantClear.OLEAUT32 ref: 00558C9D
VariantClear.OLEAUT32(?), ref: 00558D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00558D3B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: e126fc76770e39e5c252c45162991b644df177a277c0d28b8e1cf4a5361a120b
Instruction ID: 26ce9d003480703850f1c8356541e43182678f485165bd823a4f86d2b548dd30
Opcode Fuzzy Hash: e126fc76770e39e5c252c45162991b644df177a277c0d28b8e1cf4a5361a120b
Instruction Fuzzy Hash: 61515C75A00219DFCB14CF58C894AAABBF5FF89311B15855AED05EB350E730E915CF90

Function 00568AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00568BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00568BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00568C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00568C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00568C5F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: fccd07a7e8233c8a89c18cf748f01c9af0662b96b8347e9dbc67b066630d0a51
Instruction ID: 477fc86e2db75fafc40318e5588a4043989118aa0b06d528dedb868f1b0999cc
Opcode Fuzzy Hash: fccd07a7e8233c8a89c18cf748f01c9af0662b96b8347e9dbc67b066630d0a51
Instruction Fuzzy Hash: 7F515E35A00219AFDB10DF65C880E6DBBF5FF48318F088459E949AB3A2CB35ED45DB90

Function 00578EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00578F40
GetProcAddress.KERNEL32(00000000,?), ref: 00578FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00578FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00579032
FreeLibrary.KERNEL32(00000000), ref: 00579052

Part of subcall function 0050F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00561043,?,75C0E610), ref: 0050F6E6
Part of subcall function 0050F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0054FA64,00000000,00000000,?,?,00561043,?,75C0E610,?,0054FA64), ref: 0050F70D

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 302da5569da81dc623c0974684cdcf7fc2a3621a1e2f0dd5b1f41fd61c3f8e03
Instruction ID: 71a1ca250450c34929f054c37151a61a8cec3e4d48caecc1b24f4a05a55a754f
Opcode Fuzzy Hash: 302da5569da81dc623c0974684cdcf7fc2a3621a1e2f0dd5b1f41fd61c3f8e03
Instruction Fuzzy Hash: EC513934600205DFCB11DF59D4989ADBFB1FF49358B048099E90AAB362DB35ED85DB90

Function 00586B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00586C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00586C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00586C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0056AB79,00000000,00000000), ref: 00586C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00586CC7

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 6984522041f6db56d2cbf398ec3a2e81877277532741cff8644336651c57f527
Instruction ID: 30808ce010c0f33b9125a5735e965253125879a34523c27a913fe1e332e2badc
Opcode Fuzzy Hash: 6984522041f6db56d2cbf398ec3a2e81877277532741cff8644336651c57f527
Instruction Fuzzy Hash: 3941AD35A04104AFDB24EF28CC58FA97FA5FB09360F140628EC99BB2A0C371ED41DB50

Function 00522051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005220C3
_free.LIBCMT ref: 005220E3

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a2a8c313701d4dd797082f499640ab7e0bcd8984138f543abb3326eda9cc149a
Instruction ID: f4781d595fa8fc89f164460b4941c9345e4d6d6b73dd781d4daaea7e9faa1559
Opcode Fuzzy Hash: a2a8c313701d4dd797082f499640ab7e0bcd8984138f543abb3326eda9cc149a
Instruction Fuzzy Hash: CF41D23AA00214AFDB24DF78D885A5DBBA5FF8A314F154568E615EB391DB31AD01CB80

Function 0050912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00509141
ScreenToClient.USER32(00000000,?), ref: 0050915E
GetAsyncKeyState.USER32(00000001), ref: 00509183
GetAsyncKeyState.USER32(00000002), ref: 0050919D

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 51e8be190fc1990ddc89e3ac8e07527eaf4fc79e3fe34a6ce6a412d7041e7ec6
Instruction ID: 2f35a03a06683654078966e83e2f939d95ea87ac7a514596f36af43defc554d8
Opcode Fuzzy Hash: 51e8be190fc1990ddc89e3ac8e07527eaf4fc79e3fe34a6ce6a412d7041e7ec6
Instruction Fuzzy Hash: D0415C71A0860BBBDF159F64C848BEEBF74FF49324F208219E829A62D5C7306954DB91

Function 00563874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00563922
TranslateMessage.USER32(?), ref: 0056394B
DispatchMessageW.USER32(?), ref: 00563955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00563966

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: c0ea7a74d075069cef0dc2ed41d89bfa861765ffa7ed355694edf96ad42e74a5
Instruction ID: 68bf4082ccd283e59088f9ba99942beb67c4fc914019c57b5fb0c95ea3d73d3b
Opcode Fuzzy Hash: c0ea7a74d075069cef0dc2ed41d89bfa861765ffa7ed355694edf96ad42e74a5
Instruction Fuzzy Hash: 49318670504B429EEB35CF34D849FB63FA8FB26304F14096DE452931A1E7B49A89DF25

Function 0056CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0056C21E,00000000), ref: 0056CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0056CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0056C21E,00000000), ref: 0056CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0056C21E,00000000), ref: 0056CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0056C21E,00000000), ref: 0056CFF2

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 0af2a9361edd74e67706d6442231a097218ae3e9de8722470fee8eafb3c44522
Instruction ID: a3c3e3736d196e2cb22d37e4d98ceaf3b2d72fd6f11cd0efd7d1104fcfc96876
Opcode Fuzzy Hash: 0af2a9361edd74e67706d6442231a097218ae3e9de8722470fee8eafb3c44522
Instruction Fuzzy Hash: B8314B71600206EFDB20DFA5D8889BBBFF9FB54354B10442EF556E3241DB30AE459B60

Function 00551901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00551915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005519E2

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: dcdd52c3bead9f19e13a0f033d6f278c565dfd9854448cefda15aae1489c8b70
Instruction ID: 0afe55da1736b3f2618e5a6e461c9c7b35318191e0ce691b12caabcc9db06ce3
Opcode Fuzzy Hash: dcdd52c3bead9f19e13a0f033d6f278c565dfd9854448cefda15aae1489c8b70
Instruction Fuzzy Hash: 68319E71A00219EFCB00CFA8C9A9B9E7FB5FB54315F10422AFD21AB2D1C7709948DB90

Function 00585706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00585745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0058579D
_wcslen.LIBCMT ref: 005857AF
_wcslen.LIBCMT ref: 005857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00585816

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: ef1fad02d11082879055144a01a92baa6280d2815c53beddd70f986612a1fedd
Instruction ID: 1fa1c053497fa8d5207b463e83c44ddd8223fb53f294cbe0ab43d3158e90d614
Opcode Fuzzy Hash: ef1fad02d11082879055144a01a92baa6280d2815c53beddd70f986612a1fedd
Instruction Fuzzy Hash: 8321A2319046189ADF21AFA4CC84AEEBFB8FF54320F108616ED29FA190E7708985CF50

Function 00570930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00570951
GetForegroundWindow.USER32 ref: 00570968
GetDC.USER32(00000000), ref: 005709A4
GetPixel.GDI32(00000000,?,00000003), ref: 005709B0
ReleaseDC.USER32(00000000,00000003), ref: 005709E8

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 611e2b847e00976160a8b5fdb50c684a6275260868f6f32dbb44374ff15f09da
Instruction ID: 05dee59f52bd6391c9b355af96a6d51d57df055b0b79ba976afef32de0fab01d
Opcode Fuzzy Hash: 611e2b847e00976160a8b5fdb50c684a6275260868f6f32dbb44374ff15f09da
Instruction Fuzzy Hash: 0A216F35600204AFD704EF69D989AAEBFE9FF44744F04846DE94AA7352DB34EC04DBA0

Function 0052CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0052CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0052CDE9

Part of subcall function 00523820: RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0052CE0F
_free.LIBCMT ref: 0052CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0052CE31

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 84b5979bb748b308159142f0e9b6c34910f250f83c5ae5c9a1532d1c22e20eac
Instruction ID: c2bc17351f399ea153f88ef2a3da253a5ab2eff20b79b509e8d2a8365f1d603d
Opcode Fuzzy Hash: 84b5979bb748b308159142f0e9b6c34910f250f83c5ae5c9a1532d1c22e20eac
Instruction Fuzzy Hash: D00171726026257F232216B67C8CD7F6D6DFEC7BA13160129FD05D7282EA618D0292B1

Function 00509639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00509693
SelectObject.GDI32(?,00000000), ref: 005096A2
BeginPath.GDI32(?), ref: 005096B9
SelectObject.GDI32(?,00000000), ref: 005096E2

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d5e0b9fb64b79f1affe53c2cf826b1d974f73fa09b92df0b83950c58ef9cb0c9
Instruction ID: 231c686cba4ba4845116f9d5952e632df4777b305d82ca84f5cbcf3aaea1edd9
Opcode Fuzzy Hash: d5e0b9fb64b79f1affe53c2cf826b1d974f73fa09b92df0b83950c58ef9cb0c9
Instruction Fuzzy Hash: 9C217170801B09EFDB119F64EC08BAD3FB4BB61755F100215F811A71E6D3719859EB98

Function 00555711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00555726
_memcmp.LIBVCRUNTIME ref: 00555744
_memcmp.LIBVCRUNTIME ref: 00555757
_memcmp.LIBVCRUNTIME ref: 0055576F
_memcmp.LIBVCRUNTIME ref: 00555787

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2cc3f02c4fdae2c561e510510b075cef5fa72baab72a14ff1d45b7cc738574a3
Instruction ID: 83f66314ef1f3781c7ee3c7db95d920a5e93d553dd51a06292bc6e261a8e9c0a
Opcode Fuzzy Hash: 2cc3f02c4fdae2c561e510510b075cef5fa72baab72a14ff1d45b7cc738574a3
Instruction Fuzzy Hash: 8001F961251A09BBE20861119D72FFB7F5CFB683D6F100422FE05AA241F720EE5483A4

Function 00522DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0051F2DE,00523863,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6), ref: 00522DFD
_free.LIBCMT ref: 00522E32
_free.LIBCMT ref: 00522E59
SetLastError.KERNEL32(00000000,004F1129), ref: 00522E66
SetLastError.KERNEL32(00000000,004F1129), ref: 00522E6F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 38db5272b1a93979a5512a470a485ccb936f926015f106e9aebe0e9d4c62717e
Instruction ID: 02ec73fc5d1332297306b8ee470aef436bb893bb9e0b778f5f08cbf6d6054110
Opcode Fuzzy Hash: 38db5272b1a93979a5512a470a485ccb936f926015f106e9aebe0e9d4c62717e
Instruction Fuzzy Hash: 2B01D13E205621BB861227787C4AD3B2E5DBFE73A1F224928F825A21D2EE748C056120

Function 0055000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?,?,0055035E), ref: 0055002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?), ref: 00550064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550070

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 41a83b1a1a3158aa04227c76a2956a14f8629e42c1f85aba4b6ce6886bff8a6a
Instruction ID: d9b53a5fa9ee7ddf9c5f928cc394796dcdae82dd35ad3c4b96821c16a5ab9814
Opcode Fuzzy Hash: 41a83b1a1a3158aa04227c76a2956a14f8629e42c1f85aba4b6ce6886bff8a6a
Instruction Fuzzy Hash: C2018F72600204BFDB104F69DC08BAA7EADFB44752F546125FD05E22A0D771DD48ABA0

Function 0055E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0055E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0055E9A5
Sleep.KERNEL32(00000000), ref: 0055E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0055E9B7
Sleep.KERNEL32 ref: 0055E9F3

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b88d9c85624ef431dfd0335e984c40ddd38912ae5f171a37762fb5b39ab0635f
Instruction ID: 04bd6edc157cde6116a4bdcee8c13953b7344567f8c6edd425b3cc92676cc77c
Opcode Fuzzy Hash: b88d9c85624ef431dfd0335e984c40ddd38912ae5f171a37762fb5b39ab0635f
Instruction Fuzzy Hash: 1B015731C01629DBCF04ABE4D8AEAEDBF78BB19302F000546E912B2241DB309658DBA1

Function 005510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00551114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 0055112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0055114D

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b5db23affd37ea1193ac919f1dddf6ba48911c9327bc1710e57a70590e2de36a
Instruction ID: 5b2725359efb55ab53947f88874cb069b1ee316aaa74f588aa953cc7fec72183
Opcode Fuzzy Hash: b5db23affd37ea1193ac919f1dddf6ba48911c9327bc1710e57a70590e2de36a
Instruction Fuzzy Hash: 5B014675200605AFDB114BA4EC89A6A3F6EEF893A1B210459FE41E2260DB31DC04EB70

Function 00550FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00550FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00550FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00550FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00550FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00551002

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 548ecc46d7149afc0a4880740e9f947bd7d5b2035b1e3b44db36440bfefd1770
Instruction ID: 6f86616aa1a9876118af4aeccd6489697a16d67899a905dbc9c8589743305bf2
Opcode Fuzzy Hash: 548ecc46d7149afc0a4880740e9f947bd7d5b2035b1e3b44db36440bfefd1770
Instruction Fuzzy Hash: 0CF08735200301EBDB210FA5AC8DF5A3FA9FF99762F500415FE05AA2A0DA30E8449B70

Function 00551014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0055102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00551036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00551045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0055104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00551062

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4b8e13848fdb19141faacec7786e2a7f1de7c281878ef122da1f26233ca14b28
Instruction ID: 5773515caa62e809d2da9054621dceb4f1d119d9dc93fb7bdfd0ea5bdb50c81a
Opcode Fuzzy Hash: 4b8e13848fdb19141faacec7786e2a7f1de7c281878ef122da1f26233ca14b28
Instruction Fuzzy Hash: 54F03735200711EBDB215FA6EC9DF5A3FADFF99662F200415FE45AA2A0CA70D8449B70

Function 0056030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 00560324
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 00560331
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 0056033E
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 0056034B
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 00560358
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 00560365

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fbc15be1e9ee5505ed70a464ce56c79526ba6c59d1fbffcfdbd477edad50e6c5
Instruction ID: 9157d27f7e4dbd0bbd68af61d6ce7f3e1817db4d7f0669fd80b972a19ebf4e88
Opcode Fuzzy Hash: fbc15be1e9ee5505ed70a464ce56c79526ba6c59d1fbffcfdbd477edad50e6c5
Instruction Fuzzy Hash: 0101DC72900B118FCB30AF66D880803FBF9BE602063049E3ED19252A70C3B0A988DF80

Function 0052D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0052D752

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 0052D764
_free.LIBCMT ref: 0052D776
_free.LIBCMT ref: 0052D788
_free.LIBCMT ref: 0052D79A

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a1e88271189b3584d8f16097a959608470c007d38ba735cace81bd5f62ddf1b4
Instruction ID: 37288e8e8b338178870eebea87e7eccfea11a61d0c48984fafa14317ee63cafa
Opcode Fuzzy Hash: a1e88271189b3584d8f16097a959608470c007d38ba735cace81bd5f62ddf1b4
Instruction Fuzzy Hash: D0F03C32504625AB8661EB64F9C5D167FEDFF4A310BA80C05F049D7582C728FCC08674

Function 00555C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00555C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00555C6F
MessageBeep.USER32(00000000), ref: 00555C87
KillTimer.USER32(?,0000040A), ref: 00555CA3
EndDialog.USER32(?,00000001), ref: 00555CBD

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d0ec61a17feb230a8063301f0a93249d6333ec81ff96e7864a149fb5f5f7a0fa
Instruction ID: d364d5b26de1b84db588f2830b16cafc53d0dfd136d1c89cf1163a96eca241be
Opcode Fuzzy Hash: d0ec61a17feb230a8063301f0a93249d6333ec81ff96e7864a149fb5f5f7a0fa
Instruction Fuzzy Hash: 6B018B305007049BEB205B15DD6EFA57FB8BF10706F00156AA953B14E1E7F46D4C9B50

Function 005222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005222BE

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 005222D0
_free.LIBCMT ref: 005222E3
_free.LIBCMT ref: 005222F4
_free.LIBCMT ref: 00522305

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1cad38b2f35d1456ef4aaf90c06edf01498af6e67d65782b2c6d8721df60b5e9
Instruction ID: 991bb1a067fc17ad9979c32a9a8ad53962ae4240f4e0492523a9749bc4c1a63e
Opcode Fuzzy Hash: 1cad38b2f35d1456ef4aaf90c06edf01498af6e67d65782b2c6d8721df60b5e9
Instruction Fuzzy Hash: 61F01D7E800932AF8612AF54BC05C483F64FB3A751B41160AF418D22F2C73514D5BAA8

Function 005095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005095D4
StrokeAndFillPath.GDI32(?,?,005471F7,00000000,?,?,?), ref: 005095F0
SelectObject.GDI32(?,00000000), ref: 00509603
DeleteObject.GDI32 ref: 00509616
StrokePath.GDI32(?), ref: 00509631

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4cf92d1122fbce94cbc6bf74944575d24676dcc19b78bac3be0156763d9d60f0
Instruction ID: 4f521d53bcd5723f6a2d97a6f9c515483fa6616c5982466dd4c240c1f900550d
Opcode Fuzzy Hash: 4cf92d1122fbce94cbc6bf74944575d24676dcc19b78bac3be0156763d9d60f0
Instruction Fuzzy Hash: 49F03C30005E08EFDB525F65ED1CB683F61BB22362F048214F825650F2C73189A9FF28

Function 00520F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005210F9
__freea.LIBCMT ref: 00521117

Part of subcall function 00521537: _free.LIBCMT ref: 0052154F

Strings

am/pm, xrefs: 0052117A
a/p, xrefs: 005211DE

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e42d355f466611826be57ef3bb4f10f0e7361a8ecb662a167520957b3a33c7da
Instruction ID: 5961793179dbf644691af7fe18d1e5abf505e9a6fc7ea462c5bd2795a3b77847
Opcode Fuzzy Hash: e42d355f466611826be57ef3bb4f10f0e7361a8ecb662a167520957b3a33c7da
Instruction Fuzzy Hash: 6DD1E335900A26DBDB24CF68E8896BBBFB2FF37310F240959E5019B6D0D2359D81CB59

Function 005761D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00510242: EnterCriticalSection.KERNEL32(005C070C,005C1884,?,?,0050198B,005C2518,?,?,?,004F12F9,00000000), ref: 0051024D
Part of subcall function 00510242: LeaveCriticalSection.KERNEL32(005C070C,?,0050198B,005C2518,?,?,?,004F12F9,00000000), ref: 0051028A

Part of subcall function 005100A3: __onexit.LIBCMT ref: 005100A9

__Init_thread_footer.LIBCMT ref: 00576238

Part of subcall function 005101F8: EnterCriticalSection.KERNEL32(005C070C,?,?,00508747,005C2514), ref: 00510202
Part of subcall function 005101F8: LeaveCriticalSection.KERNEL32(005C070C,?,00508747,005C2514), ref: 00510235

Part of subcall function 0056359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005635E4
Part of subcall function 0056359C: LoadStringW.USER32(005C2390,?,00000FFF,?), ref: 0056360A

Strings

x#\, xrefs: 0057636F
x#\, xrefs: 0057633A
x#\, xrefs: 00576353

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#\$x#\$x#\
API String ID: 1072379062-1758250086
Opcode ID: a4636201e6262ce5aeb0f39e8ec05ac95a7c92bb0c3b5b63ff31adc4a326d476
Instruction ID: 13a5e13e8e00ca8249c6e7323a7b12d56b772d94d2acffe84785847ced4e330d
Opcode Fuzzy Hash: a4636201e6262ce5aeb0f39e8ec05ac95a7c92bb0c3b5b63ff31adc4a326d476
Instruction Fuzzy Hash: C7C19371A0050AAFCB14DF98D895EBEBBB9FF48300F148469F9099B291DB70ED45DB90

Function 00525AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOO, xrefs: 00525BA8, 00525C6C

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: JOO
API String ID: 0-332324559
Opcode ID: 3aa16df302615e315110e76043f0e083397f7a9caf1e75ff64c77b475fbf05ff
Instruction ID: 9e8eef30e6ca0bbc4c7287468706ea3a9acd8cdd8ae8bd90ff558789fc7797b1
Opcode Fuzzy Hash: 3aa16df302615e315110e76043f0e083397f7a9caf1e75ff64c77b475fbf05ff
Instruction Fuzzy Hash: 3F51CF75E0062AAFDB219FA4E849EEEBFB8BF86310F140419F405B72D1F6319D419B61

Function 00528A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00528B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00528B7A
__dosmaperr.LIBCMT ref: 00528B81

Strings

.Q, xrefs: 00528A63

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .Q
API String ID: 2434981716-3049930668
Opcode ID: d4604b0b6e571cd9d71ff27874684737e20028e9cfda745ca2464129824c2521
Instruction ID: bbd51590d99576c244dd911ebf38b6bc388bb0d8aa600dc96099afbdbed7be25
Opcode Fuzzy Hash: d4604b0b6e571cd9d71ff27874684737e20028e9cfda745ca2464129824c2521
Instruction Fuzzy Hash: A0418C70605065AFDB249FA4EC85A797FA5FF87310F2845ADF895876C2DE318C029790

Function 00552716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0055B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005521D0,?,?,00000034,00000800,?,00000034), ref: 0055B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00552760

Part of subcall function 0055B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0055B3F8

Part of subcall function 0055B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0055B355
Part of subcall function 0055B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00552194,00000034,?,?,00001004,00000000,00000000), ref: 0055B365
Part of subcall function 0055B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00552194,00000034,?,?,00001004,00000000,00000000), ref: 0055B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0055281A

Strings

@, xrefs: 00552832

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4a5bd50673a57653d49ecd91eea445f71a45addba7effd94bb5a6ab129fb60ad
Instruction ID: ad670d302e20d11d122f9ff2c71dcbab102e7f0e51691a468baee6e6253a0940
Opcode Fuzzy Hash: 4a5bd50673a57653d49ecd91eea445f71a45addba7effd94bb5a6ab129fb60ad
Instruction Fuzzy Hash: C3413C72900219BFDB10DBA4CD95AEEBBB8FF49300F10405AFA55B7181DB706E49CBA1

Function 0052172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00521769
_free.LIBCMT ref: 00521834
_free.LIBCMT ref: 0052183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00521760, 00521767, 00521796, 005217CE

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: ce29cbd838ee322d1c55cc057d39282492a36cb593890da2e14aa1fa376f3a5d
Instruction ID: 34bed8f827c99fde71392f278419a59f0a1df15347474c743e19b01f9a304b9b
Opcode Fuzzy Hash: ce29cbd838ee322d1c55cc057d39282492a36cb593890da2e14aa1fa376f3a5d
Instruction Fuzzy Hash: B6319379A00A28AFDB11DB99A885D9FBFBCFFA6310F144166E40497251D6708A40D794

Function 0055C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0055C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0055C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005C1990,01415390), ref: 0055C395

Strings

0, xrefs: 0055C2DF

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: e09bf993125fea049a0706debf579507ee3b44efcfede3df11d1efa9ff6cb34e
Instruction ID: 45d32b930bfccaca9fdf10ee222f150f5d75d8d6156cf342c3e611a11620638d
Opcode Fuzzy Hash: e09bf993125fea049a0706debf579507ee3b44efcfede3df11d1efa9ff6cb34e
Instruction Fuzzy Hash: DF418E312043069FDB20DF25D894B6ABFE4BF85321F158A1EFDA597291D730A908CB62

Function 00584416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0058CC08,00000000,?,?,?,?), ref: 005844AA
GetWindowLongW.USER32 ref: 005844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005844D7

Strings

SysTreeView32, xrefs: 0058447C

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 30ae22fd57acff09e1404a3f8a6a927645671c2ac61542d39fa7db7db3594a7c
Instruction ID: 549f8127dc2d868a157377fce8241e639109597a97c8dc086060b9ddd9459e5e
Opcode Fuzzy Hash: 30ae22fd57acff09e1404a3f8a6a927645671c2ac61542d39fa7db7db3594a7c
Instruction Fuzzy Hash: 59317C31210606AFDF20AE78DC45BEA7BA9FB49324F204725FD75A21E1D770AC509B60

Function 00556E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00556EED
VariantCopyInd.OLEAUT32(?,?), ref: 00556F08
VariantClear.OLEAUT32(?), ref: 00556F12

Strings

*jU, xrefs: 00556E8B, 00556E90, 00556EF8

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jU
API String ID: 2173805711-1317551218
Opcode ID: 174df69d5a610740252549747dd97a0117b8f0ce579901fd4f3e100caecafec4
Instruction ID: 0b372dc8b13ddb610d7439a1ef58879432e545352e43ae7d554bb816539ef78a
Opcode Fuzzy Hash: 174df69d5a610740252549747dd97a0117b8f0ce579901fd4f3e100caecafec4
Instruction Fuzzy Hash: 3831C771A04289DFCB04AF65E8619BD3B76FF85305B50085EFD024B2B1C7349959DBE4

Function 0057304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0057335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00573077,?,?), ref: 00573378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0057307A
_wcslen.LIBCMT ref: 0057309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00573106

Strings

255.255.255.255, xrefs: 00573095, 0057309A

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: a7899dd2439de73536c7d4e952f25e5c4e6b4706991d36dec0f93656b2c48689
Instruction ID: 45467ca2f1274bd04d312d5f511df5c264b68714cd5ff066d602c96070597707
Opcode Fuzzy Hash: a7899dd2439de73536c7d4e952f25e5c4e6b4706991d36dec0f93656b2c48689
Instruction Fuzzy Hash: EF31D5396002059FC710DF29D489EA97FE0FF54328F64C459E9198B3A2D771EE45EB60

Function 00584653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00584705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00584713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0058471A

Strings

msctls_updown32, xrefs: 00584684

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1399bc825b749d850578131b9fbcd129035f9aebcf892f413148de33f401434b
Instruction ID: d2f64de8b2cb16923bf58984bd300227055f23f126550e78f8e4ab8fa271b703
Opcode Fuzzy Hash: 1399bc825b749d850578131b9fbcd129035f9aebcf892f413148de33f401434b
Instruction Fuzzy Hash: F5217FB5600209AFDB10EF68DC85DB63BADFB9A358B000059FE01EB251DB30EC12DB60

Function 005595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0055961D

Strings

#OnAutoItStartRegister, xrefs: 005595F3
#notrayicon, xrefs: 005595B7
#requireadmin, xrefs: 005595D9

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: dc7a2088fae28478178b017456cdf5dc222e58413bfb9ce30d06f5574008c10b
Instruction ID: bb8a85d611b72516d52c6710791793ecc63c19d1cc863ab633287d736b3821ef
Opcode Fuzzy Hash: dc7a2088fae28478178b017456cdf5dc222e58413bfb9ce30d06f5574008c10b
Instruction Fuzzy Hash: 02214332204211A6E731AA24D826FBB7B98BFA4311F44442BFE4997081EB58AD9DC3D5

Function 005837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00583840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00583850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00583876

Strings

Listbox, xrefs: 0058380F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9dc7c8bf3edd88ecd952e07de6a300878a469247972f564fcfa3b568e2ddc78e
Instruction ID: 7908fe957dc89b9e4167ab7f6aa0e108e668f3fe58aa231b4b61fffea9c5ebaa
Opcode Fuzzy Hash: 9dc7c8bf3edd88ecd952e07de6a300878a469247972f564fcfa3b568e2ddc78e
Instruction Fuzzy Hash: D221B072610118BBEF119F54CC45EBB3B6EFF89B54F118124FD00AB190CA71DD528BA0

Function 005649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00564A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00564A5C
SetErrorMode.KERNEL32(00000000,?,?,0058CC08), ref: 00564AD0

Strings

%lu, xrefs: 00564A6F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 63dc03e2afedb300bd65f01f8c22b45d3ceab701c8298365787d596e0a5e4ec0
Instruction ID: d72ae9fe4c6331f4e3185c701582a4c30938d2930c4ad875c541f449b107ae17
Opcode Fuzzy Hash: 63dc03e2afedb300bd65f01f8c22b45d3ceab701c8298365787d596e0a5e4ec0
Instruction Fuzzy Hash: 2A313E75A00209AFDB10DF64C885EAA7BF9FF48308F1480A9E909EB252D775ED45CB61

Function 005841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0058424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00584264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00584271

Strings

msctls_trackbar32, xrefs: 00584226

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4238134bca26684249158117794710e81eb2fdd931a2c297d1735a603a071e74
Instruction ID: 93091f66680e6c0dd835ee2f414e23f83ab57b505ce7f684dc8f719dc8cfcfae
Opcode Fuzzy Hash: 4238134bca26684249158117794710e81eb2fdd931a2c297d1735a603a071e74
Instruction Fuzzy Hash: 3611C131244209BEEF20AE29CC06FAB3BACFF95B54F110524FE55F6090D671D8219B20

Function 00552F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

Part of subcall function 00552DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00552DC5
Part of subcall function 00552DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00552DD6
Part of subcall function 00552DA7: GetCurrentThreadId.KERNEL32 ref: 00552DDD
Part of subcall function 00552DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00552DE4

GetFocus.USER32 ref: 00552F78

Part of subcall function 00552DEE: GetParent.USER32(00000000), ref: 00552DF9

GetClassNameW.USER32(?,?,00000100), ref: 00552FC3
EnumChildWindows.USER32(?,0055303B), ref: 00552FEB

Strings

%s%d, xrefs: 00552FFF

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 824821f81afdb5c522bd8157098137e61f6c5703ff7fb812375e56da87679a0c
Instruction ID: e1250dbe2dddbdc0a38dd38fe08c224b9def11318620e9d003d868cff72c60fe
Opcode Fuzzy Hash: 824821f81afdb5c522bd8157098137e61f6c5703ff7fb812375e56da87679a0c
Instruction Fuzzy Hash: DE11A5716002196BCF54BF658C99EED3F6ABF94305F044076BD09AB192DE30594D9B70

Function 00585882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005858C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005858EE
DrawMenuBar.USER32(?), ref: 005858FD

Strings

0, xrefs: 0058588F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 9fefd2648632ad56324632ddf8e2fd24d45e15363b20c1faee6bc00b03c7abb5
Instruction ID: ab574b015806f2ab2f5057b9ed279a0feaaf2a2343e04ccd65e1712923673b2b
Opcode Fuzzy Hash: 9fefd2648632ad56324632ddf8e2fd24d45e15363b20c1faee6bc00b03c7abb5
Instruction Fuzzy Hash: 3B010C31500219EEDB61AF11D844BAEBFB8BB45361F148499E849E6161EB308A94EF21

Function 0055007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b8b46d8c7555de6fe7dfa797c4df44976cfc567196fcc0cdb3814f5b1d7b0c
Instruction ID: 1920e79813fbca3741fe8a4967be61043b7a652dfa6324b9ccdd30e30aa08a37
Opcode Fuzzy Hash: c0b8b46d8c7555de6fe7dfa797c4df44976cfc567196fcc0cdb3814f5b1d7b0c
Instruction Fuzzy Hash: E0C19E75A00206EFCB14CF94C8A4EAEBBB5FF48315F219599E805EB291D730ED45DB90

Function 0057342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00573459
CoUninitialize.OLE32 ref: 00573463
VariantInit.OLEAUT32(?), ref: 0057346E
VariantClear.OLEAUT32(?), ref: 0057371B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 48b6ae55771651cab64785c7ea37940419d227b533420a73388202eadd0e607c
Instruction ID: dae02da31492058f1bbb572c8932ea78b2cf292ec6d52702846cf168ddff5176
Opcode Fuzzy Hash: 48b6ae55771651cab64785c7ea37940419d227b533420a73388202eadd0e607c
Instruction Fuzzy Hash: 63A18E75204305AFC700DF25D485A2ABBE5FF88724F04885DF98A9B362DB34EE05DB55

Function 00550436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0058FC08,?), ref: 005505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0058FC08,?), ref: 00550608
CLSIDFromProgID.OLE32(?,?,00000000,0058CC40,000000FF,?,00000000,00000800,00000000,?,0058FC08,?), ref: 0055062D
_memcmp.LIBVCRUNTIME ref: 0055064E

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 886397ee12544fd5694308ef544316add36c7f2353309a8c96f28dc3a93a2dd0
Instruction ID: 875153ce3094038dad34bb64abeced8f4b5acfe71be9b77f6bbb1ffbb7325dab
Opcode Fuzzy Hash: 886397ee12544fd5694308ef544316add36c7f2353309a8c96f28dc3a93a2dd0
Instruction Fuzzy Hash: E0810071900109EFCB04DF94C994DEEBBB9FF89315F104559E916AB250DB71AE0ACF60

Function 0057A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0057A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0057A6BA

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0057A79C
CloseHandle.KERNEL32(00000000), ref: 0057A7AB

Part of subcall function 0050CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00533303,?), ref: 0050CE8A

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: c698848a35c0d40d4b0b1cb4abdb6fd96d7b2b8a4c14915ddb850caab0d147c2
Instruction ID: b56daccf3dfc874434f98a2c985e734aee6160d762e42d511dcd12a8e970f7fe
Opcode Fuzzy Hash: c698848a35c0d40d4b0b1cb4abdb6fd96d7b2b8a4c14915ddb850caab0d147c2
Instruction Fuzzy Hash: C4515D715083059FD710EF25D886A6FBBE8FF89754F00891EF58997291EB34D904CB92

Function 00531391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005314C0

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd038424b4737c9e658c74b38a6f24763c12cca09e60ec098f59603cd2e885db
Instruction ID: a520121f953732c098a55324d7c80fea5dfd94648feff05b2f88fd6fdfdf7ab2
Opcode Fuzzy Hash: bd038424b4737c9e658c74b38a6f24763c12cca09e60ec098f59603cd2e885db
Instruction Fuzzy Hash: 63417C35A00912ABEF217BBC9C4A6BE3FA5FF82330F144625F429D22D2FA3048815775

Function 00586278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005862E2
ScreenToClient.USER32(?,?), ref: 00586315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00586382

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ac1c0cd86e1326048f716f6c21e9086121607a2419d91b3b8a8ae1bd1967396e
Instruction ID: 0b53c86be15322f4578c6cc0208d47844c5906e5f9e17852c3653a6257fa53cb
Opcode Fuzzy Hash: ac1c0cd86e1326048f716f6c21e9086121607a2419d91b3b8a8ae1bd1967396e
Instruction Fuzzy Hash: 92512A74A00609EFDF10EF68D880AAE7BB5FF55360F108569F955AB2A0DB30ED41DB50

Function 00571AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00571AFD
WSAGetLastError.WSOCK32 ref: 00571B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00571B8A
WSAGetLastError.WSOCK32 ref: 00571B94

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 7a41fed85caecc07102f11de8e1dcde679ede90372c65ca3865fdc7ec87997c4
Instruction ID: d9bcc3985e0c5b7facb24e2c3fff8e310e9942524b043512e8a9ec3c75d01537
Opcode Fuzzy Hash: 7a41fed85caecc07102f11de8e1dcde679ede90372c65ca3865fdc7ec87997c4
Instruction Fuzzy Hash: 3C419E34600600AFE720AF25D886F3A7BE5AB44718F54C48DFA1A9F2D3D776ED418B94

Function 0052B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e37b1b18ba06d383d01a50ee2e621719f90ef468cf17587c8482b7193fb8e2c
Instruction ID: 68f63b80d0606c9dc566ebeebf3df4fac5ed4ca049c98a1e186c7050fef23978
Opcode Fuzzy Hash: 0e37b1b18ba06d383d01a50ee2e621719f90ef468cf17587c8482b7193fb8e2c
Instruction Fuzzy Hash: AC41F675A00614AFEB24AF38DC85BAA7FAAFF85710F10452AF551DB2C2D37199418780

Function 005656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00565783
GetLastError.KERNEL32(?,00000000), ref: 005657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005657FA

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b6407f1b22ed03b4cf45c0917954ada580e13941d70aaddf186173a73ceab782
Instruction ID: 1d93297c174ea20edb8c7c1ffd79501508a499b04c39730ffdab968fd2d5b061
Opcode Fuzzy Hash: b6407f1b22ed03b4cf45c0917954ada580e13941d70aaddf186173a73ceab782
Instruction Fuzzy Hash: 2B415E39200615DFCB10DF15C544A2DBBE2FF89368B188489ED4AAB762DB78FD04CB95

Function 0052D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00516D71,00000000,00000000,005182D9,?,005182D9,?,00000001,00516D71,?,00000001,005182D9,005182D9), ref: 0052D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0052D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0052D9AB
__freea.LIBCMT ref: 0052D9B4

Part of subcall function 00523820: RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7d0e7075d475ace9dd7a9c295015dc23b050bdc5dfc87db54f09a3b80125b807
Instruction ID: 4f442d19ccfc309a5fa0f20528235e7c44c2e3beb25fef0df652b9bfdc3ebeee
Opcode Fuzzy Hash: 7d0e7075d475ace9dd7a9c295015dc23b050bdc5dfc87db54f09a3b80125b807
Instruction Fuzzy Hash: F3319F72A0021AABDB24DF64EC85EAE7FB5FF42350F154168FC0496290EB35DD94CBA0

Function 005852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00585352
GetWindowLongW.USER32(?,000000F0), ref: 00585375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00585382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005853A8

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 7f2cac309be4840e0f34738fbaab983466a09c44cb8fcbd4c34d8f834e129ded
Instruction ID: f04d945162cc56a362024a71381401ff2972102066a3c5e5418604f9c4116eda
Opcode Fuzzy Hash: 7f2cac309be4840e0f34738fbaab983466a09c44cb8fcbd4c34d8f834e129ded
Instruction Fuzzy Hash: 9831AF34A55E08BFEB21AE14CC06FE83F65BB05391F984901BE11B61E1EBB49E40AB51

Function 0055AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0055ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0055AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0055AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0055ACC6

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1f70528852b32140545a6cf3d2998b2fc49da4e238a3f10387678a2fa354eebe
Instruction ID: 92dbdae140ea5f88f85c4ca9eec973da9d6db041ea8cefd54ce0bd92330bed89
Opcode Fuzzy Hash: 1f70528852b32140545a6cf3d2998b2fc49da4e238a3f10387678a2fa354eebe
Instruction Fuzzy Hash: 43311430A00218AFFF25CB6988297FA7FA5BB89312F04471BFC85961D0D3748D8D9762

Function 00587674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0058769A
GetWindowRect.USER32(?,?), ref: 00587710
PtInRect.USER32(?,?,00588B89), ref: 00587720
MessageBeep.USER32(00000000), ref: 0058778C

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: dd74bcd46a22f3c7b9ad854e2cfd193247b9aa422eca746ae86a5460aa24c582
Instruction ID: ed8150770d706fbb0f8e593bd3a34f3118729fb27b01c58f44b2d5f407ecde33
Opcode Fuzzy Hash: dd74bcd46a22f3c7b9ad854e2cfd193247b9aa422eca746ae86a5460aa24c582
Instruction Fuzzy Hash: 9F419A34A056199FCB01EF58C894EA9BFF4FB5E300F2840A8EC14EB261D330E945DB90

Function 005816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005816EB

Part of subcall function 00553A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00553A57
Part of subcall function 00553A3D: GetCurrentThreadId.KERNEL32 ref: 00553A5E
Part of subcall function 00553A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005525B3), ref: 00553A65

GetCaretPos.USER32(?), ref: 005816FF
ClientToScreen.USER32(00000000,?), ref: 0058174C
GetForegroundWindow.USER32 ref: 00581752

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9dfa36b149f99eac205410f3618c63716ec09ff27af1abaf9e80b4bb2e77a9dc
Instruction ID: 8da59a442fae849ad2424951b78087e5fe4a937d02001729b057de3e9d0230b5
Opcode Fuzzy Hash: 9dfa36b149f99eac205410f3618c63716ec09ff27af1abaf9e80b4bb2e77a9dc
Instruction Fuzzy Hash: 5B313275D00149AFCB00EFAAC885CAEBBFDFF48304B50406EE515E7251D6359E45CBA5

Function 00588FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

GetCursorPos.USER32(?), ref: 00589001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00547711,?,?,?,?,?), ref: 00589016
GetCursorPos.USER32(?), ref: 0058905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00547711,?,?,?), ref: 00589094

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e270f83bc65321be755c81f87a224a131b18668a68524464eb0598d90ec33ed6
Instruction ID: cdb92b26bd29e30cf67832eadd7883d36d2622b674a9da960dd413eb2f6273df
Opcode Fuzzy Hash: e270f83bc65321be755c81f87a224a131b18668a68524464eb0598d90ec33ed6
Instruction Fuzzy Hash: 70219F35600418EFCB259F94CC59EFA7FB9FB8A350F184065FD066B2A2C3319950EB60

Function 0055D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0058CB68), ref: 0055D2FB
GetLastError.KERNEL32 ref: 0055D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0055D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0058CB68), ref: 0055D376

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c53669599eebda37427641ac09ad7a06d8f4a1f5413e0050ae64f34b94de3512
Instruction ID: 3bc1c02859acefb2140bc40a0d728527d7ee38f2c1c9bc08a853ffe69248277d
Opcode Fuzzy Hash: c53669599eebda37427641ac09ad7a06d8f4a1f5413e0050ae64f34b94de3512
Instruction Fuzzy Hash: 31219E755052019FC320EF29C89186ABBE4BF55369F104E1EF899D32A1DB30D909CBA3

Function 00551571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00551014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0055102A
Part of subcall function 00551014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00551036
Part of subcall function 00551014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00551045
Part of subcall function 00551014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0055104C
Part of subcall function 00551014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00551062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005515BE
_memcmp.LIBVCRUNTIME ref: 005515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00551617
HeapFree.KERNEL32(00000000), ref: 0055161E

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4751667e5396027b4a1f6d8808bf1c124b57ca1e6c49c9a5d42a45ebdbca0378
Instruction ID: cf5c7790f663272833bb712692ea3b365b3cbcbe963c916c4eddb64b3246102b
Opcode Fuzzy Hash: 4751667e5396027b4a1f6d8808bf1c124b57ca1e6c49c9a5d42a45ebdbca0378
Instruction Fuzzy Hash: FC216B31E40509AFDF10DFA4C959BEEBFB8FF44345F08445AE851AB241E730AA09DB64

Function 00582782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0058280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00582824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00582832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00582840

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 70bad74d9ff84696a4bf00e031a2c2c4cb071fcbc8c8ff0f890637a9f0b5f35c
Instruction ID: 7b639ed9ac99ffc1b02d31adef91c65be96053eb038502a52febd480a6c4adbb
Opcode Fuzzy Hash: 70bad74d9ff84696a4bf00e031a2c2c4cb071fcbc8c8ff0f890637a9f0b5f35c
Instruction Fuzzy Hash: F221B035204215AFDB14AB25C844FAA7F95FF85328F148159F826DB6E2C775EC42CBA0

Function 005578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00558D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0055790A,?,000000FF,?,00558754,00000000,?,0000001C,?,?), ref: 00558D8C
Part of subcall function 00558D7D: lstrcpyW.KERNEL32(00000000,?,?,0055790A,?,000000FF,?,00558754,00000000,?,0000001C,?,?,00000000), ref: 00558DB2
Part of subcall function 00558D7D: lstrcmpiW.KERNEL32(00000000,?,0055790A,?,000000FF,?,00558754,00000000,?,0000001C,?,?), ref: 00558DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00558754,00000000,?,0000001C,?,?,00000000), ref: 00557923
lstrcpyW.KERNEL32(00000000,?,?,00558754,00000000,?,0000001C,?,?,00000000), ref: 00557949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00558754,00000000,?,0000001C,?,?,00000000), ref: 00557984

Strings

cdecl, xrefs: 0055797B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: a94f202c603e14a262c43024fba80f64b249e0766deba014a2cc759dd413d274
Instruction ID: 8a5c382b979ac85179ed41cc92acd27e16c4cc992dd098fe7efd355d63bbb54f
Opcode Fuzzy Hash: a94f202c603e14a262c43024fba80f64b249e0766deba014a2cc759dd413d274
Instruction Fuzzy Hash: A811063A200246ABDB159F35D858E7A7BB9FF99351B00402BFC02C72A4EB319805D7A1

Function 00585660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 005856BB
_wcslen.LIBCMT ref: 005856CD
_wcslen.LIBCMT ref: 005856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00585816

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 565b806c0a92a57080eb77f69228ffe110eda130816150efc5b835a3a285e59c
Instruction ID: 409d263f1f792e15e32f27201b13fff823daa8894e1bb8c2759c6f3085fc16cf
Opcode Fuzzy Hash: 565b806c0a92a57080eb77f69228ffe110eda130816150efc5b835a3a285e59c
Instruction Fuzzy Hash: AF11B17560060996DF20AF668C85AEE7FACFF51760B104426FD15F6091FB70CA84CB60

Function 00551A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00551A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00551A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00551A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00551A8A

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d2f8c23ed5de8b6d03dffcaf4ce04e3ecacc76f0206dda6751e52879bf79626e
Instruction ID: 3b0732d5d7c0a47467e987936df06a26e4473e8e7099375d9021cabd1d5dd60d
Opcode Fuzzy Hash: d2f8c23ed5de8b6d03dffcaf4ce04e3ecacc76f0206dda6751e52879bf79626e
Instruction Fuzzy Hash: BC112A3A901219FFEB119BA5C985FADBB78FB04750F200092EA01B7290D6716E50DB94

Function 0055E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0055E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0055E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0055E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0055E24D

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 36de70c33c4bcdba2362b1aae9f0dab210e75142477f1a486f99dea14863bc33
Instruction ID: b255ccf78be8e2b0e0a0eb2f234bf5f83a87a05d6ab6ffcbe5dcf79a76d4b0bc
Opcode Fuzzy Hash: 36de70c33c4bcdba2362b1aae9f0dab210e75142477f1a486f99dea14863bc33
Instruction Fuzzy Hash: 1C114876904644BFC7059FA8AC0AE9E3FACEB52715F004616FC25E3281C6B08A0897B0

Function 0051D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0051CFF9,00000000,00000004,00000000), ref: 0051D218
GetLastError.KERNEL32 ref: 0051D224
__dosmaperr.LIBCMT ref: 0051D22B
ResumeThread.KERNEL32(00000000), ref: 0051D249

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 53ee5aef784e550aa5609501e1dd38e347350dd3d5e8278303e9ff4872e36217
Instruction ID: b80e64937a85029c8d8d254d9410430fb4cb275db9a5dd28058ddd7cd89e584b
Opcode Fuzzy Hash: 53ee5aef784e550aa5609501e1dd38e347350dd3d5e8278303e9ff4872e36217
Instruction Fuzzy Hash: AB01C03A905205BBEB115BA5DC09AEA7E79FF81330F200219F935921D0DB718985D7B0

Function 004F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004F604C
GetStockObject.GDI32(00000011), ref: 004F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 004F606A

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 464bb053a5efd1d763db4d50a57a7e2bf0fdfdd0f5e19a476d86e57d30c3072e
Instruction ID: ba7173b2559387c009cfa80b31ddae16b3455ecca1d9bb5d6dfee26faaecdcf4
Opcode Fuzzy Hash: 464bb053a5efd1d763db4d50a57a7e2bf0fdfdd0f5e19a476d86e57d30c3072e
Instruction Fuzzy Hash: 8F118B7250150CBFEF128FA48C44EFBBF69EF183A4F110216FA0592110DB369C60EBA4

Function 00513B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00513B56

Part of subcall function 00513AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00513AD2
Part of subcall function 00513AA3: ___AdjustPointer.LIBCMT ref: 00513AED

_UnwindNestedFrames.LIBCMT ref: 00513B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00513B7C
CallCatchBlock.LIBVCRUNTIME ref: 00513BA4

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 16ddaf37c539a2b3b3ba1aaa0df550d57ed6279eb53d3a2bea49877ac2960fff
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 3101E972100149BBEF125E95CC4AEEB7F69FF98754F044014FE5856121D732E9A1DBA0

Function 00523073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004F13C6,00000000,00000000,?,0052301A,004F13C6,00000000,00000000,00000000,?,0052328B,00000006,FlsSetValue), ref: 005230A5
GetLastError.KERNEL32(?,0052301A,004F13C6,00000000,00000000,00000000,?,0052328B,00000006,FlsSetValue,00592290,FlsSetValue,00000000,00000364,?,00522E46), ref: 005230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0052301A,004F13C6,00000000,00000000,00000000,?,0052328B,00000006,FlsSetValue,00592290,FlsSetValue,00000000), ref: 005230BF

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 030c2579494af36d33bd4295d8237ef610dc94165ee3770afcc6f1836cf471dd
Instruction ID: 6e1676d429bc5ad7f3664466e100d5f9e0231e1d41d90491389ae9486647909c
Opcode Fuzzy Hash: 030c2579494af36d33bd4295d8237ef610dc94165ee3770afcc6f1836cf471dd
Instruction Fuzzy Hash: E101D436701636ABCB214A78BC88A577F98BF16B61B110A20F906E71D0DB35D909C7F0

Function 00557464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0055747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00557497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005574CA

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 8f115c8d4a575dc6ca2501372569e8dcabcfabeacd9c1a6b0609925febc672c5
Instruction ID: f9222ff8767d01814c2378dd48042bcabcb52a6d75e251d0187c99b08f24af57
Opcode Fuzzy Hash: 8f115c8d4a575dc6ca2501372569e8dcabcfabeacd9c1a6b0609925febc672c5
Instruction Fuzzy Hash: 5E11A1B1205318DBEB208F24EC18F927FFCFB04B01F10856AAE26D6151D770E948EB61

Function 0055B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0055ACD3,?,00008000), ref: 0055B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0055ACD3,?,00008000), ref: 0055B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0055ACD3,?,00008000), ref: 0055B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0055ACD3,?,00008000), ref: 0055B126

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 6a075968ce240a122d5fc5ed089eb69a13b8be8484516a75b304ddbcb4a43855
Instruction ID: 97a90ca8e51fa1c557572ce3a30dfd22298dbdc7a121f4c724b4710edcad2abb
Opcode Fuzzy Hash: 6a075968ce240a122d5fc5ed089eb69a13b8be8484516a75b304ddbcb4a43855
Instruction Fuzzy Hash: CB115730C01928EBEF00AFE5E9AC6EEBF78BB59312F104486DD41B2181CB305658DB61

Function 00552DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00552DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00552DD6
GetCurrentThreadId.KERNEL32 ref: 00552DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00552DE4

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f415dc13f854c30beea0dc3e2bcafd8bd043f4b8a987bfcaae2368db09ba1e94
Instruction ID: bb2f3594ca543fd568c9aaf9c3765a90f123e17cc3851c817de0ff343daafe35
Opcode Fuzzy Hash: f415dc13f854c30beea0dc3e2bcafd8bd043f4b8a987bfcaae2368db09ba1e94
Instruction Fuzzy Hash: A1E06DB11012247AD7201B67AC0EEEB3E6CFB63BA2F001126B905E1080AAB48849D7B0

Function 00588863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00509639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00509693
Part of subcall function 00509639: SelectObject.GDI32(?,00000000), ref: 005096A2
Part of subcall function 00509639: BeginPath.GDI32(?), ref: 005096B9
Part of subcall function 00509639: SelectObject.GDI32(?,00000000), ref: 005096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00588887
LineTo.GDI32(?,?,?), ref: 00588894
EndPath.GDI32(?), ref: 005888A4
StrokePath.GDI32(?), ref: 005888B2

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e303fbef6aaf7d770ff0233d514f540544c5277472bba31a65b04c9ec888fe96
Instruction ID: edcaf5c140a7c4131524c9fb8dc50f87b506c93b687aa6ef75714a195330c6b7
Opcode Fuzzy Hash: e303fbef6aaf7d770ff0233d514f540544c5277472bba31a65b04c9ec888fe96
Instruction Fuzzy Hash: DBF03436041659FAEB126F94AC0EFDE3E69AF26310F448000FE11750E2C7B55529EFA9

Function 005098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005098CC
SetTextColor.GDI32(?,?), ref: 005098D6
SetBkMode.GDI32(?,00000001), ref: 005098E9
GetStockObject.GDI32(00000005), ref: 005098F1

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 66f914b8d94c828e51b966b4ea0b78171685ea643f48e8285c68fc65e7dd49ab
Instruction ID: 0a714028f5ff17a57305e6943987a5c47ecdf35aa8186a0584eb415aa48972fe
Opcode Fuzzy Hash: 66f914b8d94c828e51b966b4ea0b78171685ea643f48e8285c68fc65e7dd49ab
Instruction Fuzzy Hash: 5CE06D31244284AEDF215B74BC0DBE83F20BB26336F04921AFAFA680E1C3714644EB20

Function 0055162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00551634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005511D9), ref: 0055163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005511D9), ref: 00551648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005511D9), ref: 0055164F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b4b15d040d1e9417a1795a03df8b244a24de44f6323f0693ad8a39c9eac0cd26
Instruction ID: 4303b090973d11d1fe1330b632ba9151e98da366a318cee3e8c55ce3adc2bfde
Opcode Fuzzy Hash: b4b15d040d1e9417a1795a03df8b244a24de44f6323f0693ad8a39c9eac0cd26
Instruction Fuzzy Hash: 29E08631601211DBD7201FB0AD0DB4A3F7CBF657D2F154809FA45E9080D6344449E774

Function 0054D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0054D858
GetDC.USER32(00000000), ref: 0054D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0054D882
ReleaseDC.USER32(?), ref: 0054D8A3

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a3d1d9961c0edb40999cb608d7bd2c4722cac09bd16d62cbac06b7c96a312769
Instruction ID: 4d5d59a66fb7f8211522a2a887758280cc392e400953d53bedeaf52237dad93b
Opcode Fuzzy Hash: a3d1d9961c0edb40999cb608d7bd2c4722cac09bd16d62cbac06b7c96a312769
Instruction Fuzzy Hash: E4E0E5B4800205DFCB419FA5990C66DBFB1BB18310B149419E906B7250D7384905AF60

Function 0054D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0054D86C
GetDC.USER32(00000000), ref: 0054D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0054D882
ReleaseDC.USER32(?), ref: 0054D8A3

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3ec6ccd6eac97d48a2bda210a088aeb9b6df6730a47e5e1f1c13ee72e570fd79
Instruction ID: b5e66a41b2ee93197afd8f207a31d8034d36eb17172992ccb3aeb1ae515949b2
Opcode Fuzzy Hash: 3ec6ccd6eac97d48a2bda210a088aeb9b6df6730a47e5e1f1c13ee72e570fd79
Instruction Fuzzy Hash: A8E01A74800204DFCB409FB5D80C66DBFB1BB18310B149419E90AF7250D7385905AF60

Function 00564D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 004F7620: _wcslen.LIBCMT ref: 004F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00564ED4

Strings

*, xrefs: 00564E10
LPT, xrefs: 00564DFB

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: c84a0aa1aa5b27b9158d53b6f6cd39451c9089556588fbdcba1d2a28cd59dca9
Instruction ID: 7fa0f47a489722821ba9e87727f05f5f376dd7fd994561ad769c80fd18d89b1c
Opcode Fuzzy Hash: c84a0aa1aa5b27b9158d53b6f6cd39451c9089556588fbdcba1d2a28cd59dca9
Instruction Fuzzy Hash: 5E915E75A00244AFCB14DF58C484EAABBF5BF44308F198099E80A9F7A2D775ED85CF91

Function 0051E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0051E30D

Strings

pow, xrefs: 0051E2E5, 0051E302

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1e8804b509481cd56bc08912bce7dbdfc5ee5d74be8af853a1e63f07fb580f1b
Instruction ID: 0e991a8d7c7c84a66d19721d9958aeb95e5567cf8b8fa678e7dadc51688aef70
Opcode Fuzzy Hash: 1e8804b509481cd56bc08912bce7dbdfc5ee5d74be8af853a1e63f07fb580f1b
Instruction Fuzzy Hash: 7B51CE61A0C11A96EB11B724DD033FA3F98FF55740F304D99E8E5432E8EB348CC59A46

Function 00577771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0054569E,00000000,?,0058CC08,?,00000000,00000000), ref: 005778DD

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

CharUpperBuffW.USER32(0054569E,00000000,?,0058CC08,00000000,?,00000000,00000000), ref: 0057783B

Strings

<s[, xrefs: 005777C8

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s[
API String ID: 3544283678-714827695
Opcode ID: 0f504cbc19e2ce5656a328182b8f7767eefa32cdf28427c5ac40b805240ba873
Instruction ID: 9f0251bf921022dea4a21fdba3edd65ec56e3718dcdcc3f45859839f77a520ae
Opcode Fuzzy Hash: 0f504cbc19e2ce5656a328182b8f7767eefa32cdf28427c5ac40b805240ba873
Instruction Fuzzy Hash: 1061707291411DAACF04EBA5EC91DFDBBB4FF18304B44452AE606B3091EF785A05DBA4

Function 0050E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0050E1B1

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 5e0b4b57d6dc745265eefd05751377d503ce22897cabef5f8dace53f7be88894
Instruction ID: 711c4e808e03efe667dfffc0d55b3a143e6621244018284ac71e4e29787695c4
Opcode Fuzzy Hash: 5e0b4b57d6dc745265eefd05751377d503ce22897cabef5f8dace53f7be88894
Instruction Fuzzy Hash: 0E512379900286DFDB15DF28C482AFE7FA4FF65328F644459EC919B2D0D634AD42CBA0

Function 0050F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0050F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0050F2BB

Strings

@, xrefs: 0050F2AF

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 697e81507c29af60b4626b8abd5f1b98e8cb3a2b530420242bd6768021d40a21
Instruction ID: 648b274a939b89aadb0c13c6aed8ad8c9f34b816608435543f2b0812c7e3ef05
Opcode Fuzzy Hash: 697e81507c29af60b4626b8abd5f1b98e8cb3a2b530420242bd6768021d40a21
Instruction Fuzzy Hash: B15147714087499BD320AF15D886BABBBF8FF95304F81484DF29941195EB348929CB6B

Function 00575745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005757E0
_wcslen.LIBCMT ref: 005757EC

Strings

CALLARGARRAY, xrefs: 005757E6, 005757EB

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 72505e24eea79db3c5e86f9ac4fc60b116233f20146aa724202cea550e6f1795
Instruction ID: a0a67ea0ecddf1c859ad374ab2a24726f93769c748d52ac58ec63a0c46f95071
Opcode Fuzzy Hash: 72505e24eea79db3c5e86f9ac4fc60b116233f20146aa724202cea550e6f1795
Instruction Fuzzy Hash: 6641C031A001099FCB04DFA9D8869BEBFF4FF98354F20802EE509A7291E7709D81CB91

Function 0056D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0056D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0056D13A

Strings

|, xrefs: 0056D10B

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 13bd30607841701176259069629061d6513f2bea288bba09a9b4877d488ff646
Instruction ID: aa0213e7243e60e67a8c22eb6a033119162524c9e10fc05a15d73f5d162a161d
Opcode Fuzzy Hash: 13bd30607841701176259069629061d6513f2bea288bba09a9b4877d488ff646
Instruction Fuzzy Hash: 3D316F71D00209ABCF11EFA5CC85EEEBFB9FF05344F00001AF915A6261D775AA56CB64

Function 0058356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00583621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0058365C

Strings

static, xrefs: 005835BC

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 832f5d3f6a263f867b31a59cdf04fc9617df97a980e35679c8b55c4e93b8e6d6
Instruction ID: 322bf49bc5b3b98875fd955e5e16b14c82a8d20b556071cb1b3dd2d26583b6e4
Opcode Fuzzy Hash: 832f5d3f6a263f867b31a59cdf04fc9617df97a980e35679c8b55c4e93b8e6d6
Instruction Fuzzy Hash: AD318171110604AEDB10EF29DC80EBB7BA9FF98724F509619FD55A7180DA30AD91D760

Function 00584537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0058461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00584634

Strings

', xrefs: 0058458E

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 40c365d231d7ffe8f64b4ca220dbf4cfba623d3e06a6fd4280c891f50be02109
Instruction ID: 1c3a5562475d075b35527e6708d1f1285873062e77e34b2255341ee0519e75a9
Opcode Fuzzy Hash: 40c365d231d7ffe8f64b4ca220dbf4cfba623d3e06a6fd4280c891f50be02109
Instruction Fuzzy Hash: 22311574A0020A9FDB14DFA9C980AEA7BB5FF09300F10406AED05AB341E770A941DF90

Function 005831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0058327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00583287

Strings

Combobox, xrefs: 00583249

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9b832bb5b7d3a042e001fe2975f9af31891ff407cae39de44e73dfb7f601bf2d
Instruction ID: 54051c6fd7e76cc348bfa9fef243c807de326939a45a63d140d15c595bcee0db
Opcode Fuzzy Hash: 9b832bb5b7d3a042e001fe2975f9af31891ff407cae39de44e73dfb7f601bf2d
Instruction Fuzzy Hash: F811E2753002087FEF21AE54DC84EBB3F6AFB98764F100128FD1AAB290D6719D518760

Function 00583710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004F604C
Part of subcall function 004F600E: GetStockObject.GDI32(00000011), ref: 004F6060
Part of subcall function 004F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 004F606A

GetWindowRect.USER32(00000000,?), ref: 0058377A
GetSysColor.USER32(00000012), ref: 00583794

Strings

static, xrefs: 00583757

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3acca13b4391a1d5053de9e38a4c39c7b317db67b5cbd2efee12b918e37eef68
Instruction ID: 10dcd9ecfb3686e1864064276a0418964ed68f6f628f33e5fb5f61262ecb683f
Opcode Fuzzy Hash: 3acca13b4391a1d5053de9e38a4c39c7b317db67b5cbd2efee12b918e37eef68
Instruction Fuzzy Hash: 8E1129B2610209AFDF00EFA8CC45EFA7BB8FB08714F004915FD55E2251E775E9559B60

Function 0056CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0056CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0056CDA6

Strings

<local>, xrefs: 0056CD66

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 71e3f38ac8c81380030d9a7159c8aa37f969045005180cc342a2c1c4f849ab7c
Instruction ID: 8f5a37549588f3320f0bb70bfd2992b0cb6ef34f39ea0d9cff4229fc0edeab09
Opcode Fuzzy Hash: 71e3f38ac8c81380030d9a7159c8aa37f969045005180cc342a2c1c4f849ab7c
Instruction Fuzzy Hash: 8011A071205671BAD7285A668C49EF7BEBCFB227A4F00462AB58993180D6749844D6F0

Function 00583429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005834BA

Strings

edit, xrefs: 0058348F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5b13165f321ca0e47aed512b2819edc3e5d64a5251fe6d9a7a9ed5674e694166
Instruction ID: f59328153d4eb4174d74847268e685c14d94d997500e4c4c1635296598bfc4a3
Opcode Fuzzy Hash: 5b13165f321ca0e47aed512b2819edc3e5d64a5251fe6d9a7a9ed5674e694166
Instruction Fuzzy Hash: 61119D71100108AEEF11AE64DC48ABA3F6AFF15B78F504724FD61A71E0C771DC559760

Function 00556C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00556CB6
_wcslen.LIBCMT ref: 00556CC2

Strings

STOP, xrefs: 00556CBC, 00556CC1

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 8acead713aede9ba1a0f35ca10a4f41117a3366c90f3c1a687bc290426af6851
Instruction ID: e48f0b0ac649dbdae20fc981c5363346e228f11d037421913ccf36af14568f6e
Opcode Fuzzy Hash: 8acead713aede9ba1a0f35ca10a4f41117a3366c90f3c1a687bc290426af6851
Instruction Fuzzy Hash: 6D0108326005678ACB119FBDCCA19BF7BB4FA60715780092AEC5297190FB31DC08C650

Function 00551BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00551C46

Strings

ComboBox, xrefs: 00551BE5
ListBox, xrefs: 00551C10

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d7bbd087b0c04bb7c5c6daabf88d7e8cf8edb1b8fc307ff609afe1cf4ccfa3a3
Instruction ID: a2c9594f8364310281dfd9883073b44dd90a3d0c7814019f1146e167c35b14fe
Opcode Fuzzy Hash: d7bbd087b0c04bb7c5c6daabf88d7e8cf8edb1b8fc307ff609afe1cf4ccfa3a3
Instruction Fuzzy Hash: 9F01A77569110866CB08EB91C965BFF7FA8BF51381F14041BED0677281EA259E0CC6B9

Function 00551C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00551CC8

Strings

ComboBox, xrefs: 00551C69
ListBox, xrefs: 00551C94

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0d3b5bfea8741b40eedce8bdb7403fa96f77f3c3ee33e109dbc61f26d71e1743
Instruction ID: e177e3da5119a85eb6a391187262b82e645a7bc31d6357b682d8d8ffcf818498
Opcode Fuzzy Hash: 0d3b5bfea8741b40eedce8bdb7403fa96f77f3c3ee33e109dbc61f26d71e1743
Instruction Fuzzy Hash: 9401DB7164015867CB04EB95CA22BFE7FA8BF113C1F14001BBD0677281EA259F0CC675

Function 0050A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0050A529

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Strings

,%\, xrefs: 0050A509
3yT, xrefs: 0050A545, 0050A54D, 0050A552

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%\$3yT
API String ID: 2551934079-2759134763
Opcode ID: 16eb7014952e5bb2023d7ae42a3f87e43c03be33367c3eaa751ed329e8f4b1cd
Instruction ID: 3c4369859dc386994e60d4337c3cc3d83e101e5f4859eaefecfdc7d99b9ad981
Opcode Fuzzy Hash: 16eb7014952e5bb2023d7ae42a3f87e43c03be33367c3eaa751ed329e8f4b1cd
Instruction Fuzzy Hash: 9B01F2326007159BCE00F7A9DC1BFAE3F54BB85710F400429F6125B1C2EEA4AD858A9B

Function 00588172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005C3018,005C305C), ref: 005881BF
CloseHandle.KERNEL32 ref: 005881D1

Strings

\0\, xrefs: 0058818A

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0\
API String ID: 3712363035-662447594
Opcode ID: 62cb9a56d12edaa5c69d8e7bdd6dadc38c0d685879be1670a06f8f33e6798f24
Instruction ID: 5dc3bd197dc357535608f8480139db37f596067fd49df05888e219a6c0846de8
Opcode Fuzzy Hash: 62cb9a56d12edaa5c69d8e7bdd6dadc38c0d685879be1670a06f8f33e6798f24
Instruction Fuzzy Hash: E8F030B2640708BEE3106761AC4DFB77E5CFB14750F008425BA08F51A1D6758E54A3B8

Function 0057747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00577493
_wcslen.LIBCMT ref: 005774B9

Strings

3, 3, 16, 1, xrefs: 00577483

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 3590c55970e2ebb726816eb2f34fd154e08e70942f7fcc4e4930f997049638de
Instruction ID: efa70a690d78d01186a6d50e2a27398acd78656056fe8f6cfafb9410f6e337aa
Opcode Fuzzy Hash: 3590c55970e2ebb726816eb2f34fd154e08e70942f7fcc4e4930f997049638de
Instruction Fuzzy Hash: 4FE02B0220432510A731127ABCC99BF5ECAFFCD750714282BF989C2276EA948DD1A3A0

Function 00550B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00550B23

Strings

Error allocating memory., xrefs: 00550B1C
AutoIt, xrefs: 00550B17

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: b0d866c6ab6112ea1d4a6bf754633a230301d4e0ab76c4feb6321df8940dc333
Instruction ID: 6ab239edba5e3e0344ac29727b343432d2c9ad2b97a804f4e76d45f989d10075
Opcode Fuzzy Hash: b0d866c6ab6112ea1d4a6bf754633a230301d4e0ab76c4feb6321df8940dc333
Instruction Fuzzy Hash: 98E0923224430926D22437547C07F8D7E88AB05B25F10046AFB58A94C38AE1249047A9

Function 00510D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0050F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00510D71,?,?,?,004F100A), ref: 0050F7CE

IsDebuggerPresent.KERNEL32(?,?,?,004F100A), ref: 00510D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004F100A), ref: 00510D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00510D7F

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 6c6d4bc2f11edd6899f1a6e6c6a42539766a6049ca7e433c9fd6fe347594b770
Instruction ID: 2461302750dc65607c6bc088f8c8eef0b998045223e2a437e6d44d8a2f196417
Opcode Fuzzy Hash: 6c6d4bc2f11edd6899f1a6e6c6a42539766a6049ca7e433c9fd6fe347594b770
Instruction Fuzzy Hash: 64E065742007418FE770AF78E4087467FE4BB14744F00492DE882D6691DBF4E4889BA1

Function 0050E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0050E3D5

Strings

0%\, xrefs: 0050E3B5
8%\, xrefs: 0050E3CA

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%\$8%\
API String ID: 1385522511-277581082
Opcode ID: 790d7454e5f03e98299a7e1b55bac24f8f853a2543fd60f550021f64ca8eab08
Instruction ID: ba2416d64fe91b41494c16700d1218277272ab8296731676201542b59ca09e84
Opcode Fuzzy Hash: 790d7454e5f03e98299a7e1b55bac24f8f853a2543fd60f550021f64ca8eab08
Instruction Fuzzy Hash: 8AE02631404D20CFC6049718F85AECE3F91BB45320F203D68E1128F1D1DF7478859644

Function 00563017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0056302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00563044

Strings

aut, xrefs: 00563038

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 123d521eab734f5ca2a653b9bed6057fac80e933b0b74117f3acdbb3a4b2aff1
Instruction ID: 46b05349ca85abcd6b4745d68cfd3a039e29eb5952be1453854022fe51de76ac
Opcode Fuzzy Hash: 123d521eab734f5ca2a653b9bed6057fac80e933b0b74117f3acdbb3a4b2aff1
Instruction Fuzzy Hash: 5AD05B7550031467DA2097949C0DFD73E6CD704750F0001917A96E20D1DAB49544CBE0

Function 00582356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0058236C
PostMessageW.USER32(00000000), ref: 00582373

Part of subcall function 0055E97B: Sleep.KERNEL32 ref: 0055E9F3

Strings

Shell_TrayWnd, xrefs: 00582365

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 10f3bd5274c64cde33aff009345d24851fec9187ef38dce4446ff450929ac731
Instruction ID: abca23787ce40f887fa50fb85e0a9c40063b110be26e3d34a90202d0cdfa2fcd
Opcode Fuzzy Hash: 10f3bd5274c64cde33aff009345d24851fec9187ef38dce4446ff450929ac731
Instruction Fuzzy Hash: 32D0A9323803007AE668A3309C0FFC66E14AB11B00F0009127A41AA0D0C8B0B8098B24

Function 00582322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0058232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0058233F

Part of subcall function 0055E97B: Sleep.KERNEL32 ref: 0055E9F3

Strings

Shell_TrayWnd, xrefs: 00582325

Memory Dump Source

Source File: 00000000.00000002.1404695201.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1404656989.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404812197.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404941275.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1405042414.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2276732abcba263d1885a26e6bf03a0bbf2627eea1ab245009b15cc5a56c511d
Instruction ID: 85773e182ff09d8d74fc8d2eb6975a92b27b576463555353a0b0caeabcd8aaa7
Opcode Fuzzy Hash: 2276732abcba263d1885a26e6bf03a0bbf2627eea1ab245009b15cc5a56c511d
Instruction Fuzzy Hash: B6D0A932380300B6E668A3309C1FFC66E14AB10B00F0009127A45AA0D0C8B0A8098B20

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive

Source: firefox.exe, 0000000F.00000003.1576415553.000001C6CA266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1576415553.000001C6CA266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1576415553.000001C6CA2DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1576415553.000001C6CA2DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1576415553.000001C6CA2DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1520731480.0000303A03203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1520731480.0000303A03203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1520731480.0000303A03203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -Z:://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1520731480.0000303A03203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -Z:www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1567689738.000001C6D169C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1534685672.000001C6D169C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1530973103.000001C6D50C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1530212227.000001C6D51F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1546498063.000001C6C9C6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1530973103.000001C6D50C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1530212227.000001C6D51F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1546498063.000001C6C9C6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1576415553.000001C6CA283000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1544007093.000001C6CA283000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1583452215.000001C6CA283000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1531882608.000001C6D4D69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1561479079.000001C6D4D69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1534685672.000001C6D169C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1547492886.000001C6C938E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1547492886.000001C6C938E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1530973103.000001C6D50C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1530212227.000001C6D51F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1420019887.000001C6CAC74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1530973103.000001C6D50C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1530212227.000001C6D51F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1546498063.000001C6C9C6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1579781838.000001C6CC9A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3154911124.000001C7A2203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1579781838.000001C6CC9A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3154911124.000001C7A2203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1596355562.000001C6CB19B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1579781838.000001C6CC9A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3154911124.000001C7A2203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1567076767.000001C6D4A87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1532268035.000001C6D4A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1539840221.000001C6D477B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1576415553.000001C6CA283000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1588150593.000001C6D53F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1520731480.0000303A03203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1560349143.000001C6D51A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1588150593.000001C6D53F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1530364832.000001C6D51A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1539840221.000001C6D477B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1596749833.000001C6CAAE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1423037999.000001C6CAADE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1576415553.000001C6CA266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: dualstack.reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.7:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49918 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49917 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_198a2e9f-0549-44c2-a620-219d37f8bcc2.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_198a2e9f-0549-44c2-a620-219d37f8bcc2.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6O8SBFH6OVLJZGKGDRPC.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RHOSW4FG1VL3GGJPL6XM.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre