Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1529419
MD5:	88f5ee9048198b17b68c8c960b6888ce
SHA1:	d0e82acbd32a243dd71532c07dc2c0b3058f05a3
SHA256:	c5f4d028a2f24deaf15cfb7f0113caea6b5ab0b92b6bc8137fb28b2bb9b4f31d
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 88F5EE9048198B17B68C8C960B6888CE)

taskkill.exe (PID: 2984 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2512 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1384 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1872 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4136 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3536 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6264 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3872 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4260 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40f9ba66-06f4-4dab-9656-3072865229ba} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1955a66d510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7252 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3752 -parentBuildID 20230927232528 -prefsHandle 3756 -prefMapHandle 3516 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f0a60b9-2db6-4005-8263-e31f930ef023} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1955a68f610 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7856 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5172 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5148 -prefMapHandle 5132 -prefsLen 33353 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc30be76-9e45-4799-906d-b5fb74197779} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 19572772b10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1500954598.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 6508	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_000DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_000DEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000DED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_000DED6A

Source: C:\Users\user\Desktop\file.exe

0_2_000DEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000CAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_000CAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000F9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_000F9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cbc7f7d3-5
Source: file.exe, 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0e28e971-0
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_26fee5c3-0
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cdfe1da9-6

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000253BD3E7837 NtQuerySystemInformation,		18_2_00000253BD3E7837
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000253BDA6B532 NtQuerySystemInformation,		18_2_00000253BDA6B532

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000CD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_000CD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_000C1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000CE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_000CE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D2046	0_2_000D2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00068060	0_2_00068060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C8298	0_2_000C8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0009E4FF	0_2_0009E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0009676B	0_2_0009676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000F4873	0_2_000F4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008CAA0	0_2_0008CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0006CAF0	0_2_0006CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0007CC39	0_2_0007CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00096DD9	0_2_00096DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0007B119	0_2_0007B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000691C0	0_2_000691C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00081394	0_2_00081394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00081706	0_2_00081706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008781B	0_2_0008781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00067920	0_2_00067920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0007997D	0_2_0007997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000819B0	0_2_000819B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00087A4A	0_2_00087A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00081C77	0_2_00081C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00087CA7	0_2_00087CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000B3CD5	0_2_000B3CD5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000EBE44	0_2_000EBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00099EEE	0_2_00099EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00081F32	0_2_00081F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000253BD3E7837	18_2_00000253BD3E7837
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000253BDA6B532	18_2_00000253BDA6B532
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000253BDA6BC5C	18_2_00000253BDA6BC5C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000253BDA6B572	18_2_00000253BDA6B572

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00080A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0007F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00069CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@67/13

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000D37B5 GetLastError,FormatMessageW,

0_2_000D37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C10BF AdjustTokenPrivileges,CloseHandle,		0_2_000C10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_000C16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000D51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_000D51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000CD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_000CD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000D648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_000D648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_000642A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.1663495613.0000019573DA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.1663495613.0000019573DA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.1663495613.0000019573DA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.1663495613.0000019573DA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.1663495613.0000019573DA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.1663495613.0000019573DA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.1663495613.0000019573DA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.1663495613.0000019573DA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.1663495613.0000019573DA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40f9ba66-06f4-4dab-9656-3072865229ba} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1955a66d510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3752 -parentBuildID 20230927232528 -prefsHandle 3756 -prefMapHandle 3516 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f0a60b9-2db6-4005-8263-e31f930ef023} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1955a68f610 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5172 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5148 -prefMapHandle 5132 -prefsLen 33353 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc30be76-9e45-4799-906d-b5fb74197779} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 19572772b10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40f9ba66-06f4-4dab-9656-3072865229ba} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1955a66d510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3752 -parentBuildID 20230927232528 -prefsHandle 3756 -prefMapHandle 3516 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f0a60b9-2db6-4005-8263-e31f930ef023} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1955a68f610 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5172 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5148 -prefMapHandle 5132 -prefsLen 33353 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc30be76-9e45-4799-906d-b5fb74197779} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 19572772b10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.1590638902.0000019576501000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.1605813778.0000019567DAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1603384784.0000019567DA3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.1605813778.0000019567DAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1603384784.0000019567DA3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1603880300.0000019567DA3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.1590638902.0000019576501000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1603880300.0000019567DA3000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000642DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00080A76 push ecx; ret

0_2_00080A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0007F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0007F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000F1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_000F1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97104

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_00000253BD3E7837 rdtsc

18_2_00000253BD3E7837

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000CDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0009C2A2 FindFirstFileExW,	0_2_0009C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D68EE FindFirstFileW,FindClose,	0_2_000D68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_000D698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000CD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000CD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_000D9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_000D5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000642DE

Source: firefox.exe, 00000010.00000002.2691156966.0000029293700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: firefox.exe, 00000012.00000002.2684686471.00000253BD0AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW W
Source: firefox.exe, 00000013.00000002.2685045681.000001EECD01A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP6@
Source: firefox.exe, 00000010.00000002.2686098146.000002929327A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2689996385.00000253BD960000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2689839901.000001EECD400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.2690247955.0000029293622000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.2691156966.0000029293700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: firefox.exe, 00000010.00000002.2691156966.0000029293700000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2689996385.00000253BD960000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_00000253BD3E7837 rdtsc

18_2_00000253BD3E7837

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000DEAA2 BlockInput,

0_2_000DEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00092622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00092622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00084CE8 mov eax, dword ptr fs:[00000030h]

0_2_00084CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_000C0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00092622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00092622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0008083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000809D5 SetUnhandledExceptionFilter,	0_2_000809D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00080C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00080C21

Source: C:\Users\user\Desktop\file.exe

0_2_000C1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000A2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_000A2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000CB226 SendInput,keybd_event,

0_2_000CB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000E22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_000E22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_000C0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000C1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_000C1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00080698 cpuid

0_2_00080698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000D8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_000D8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000BD27A GetUserNameW,

0_2_000BD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0009B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0009B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000642DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1500954598.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6508, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1500954598.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6508, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000E1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_000E1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000E1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_000E1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	16%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://login.microsoftonline.com	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.253.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.1	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	52.222.236.80	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	216.58.206.46	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	172.217.16.142	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000013.00000002.2686966928.000001EECD3C4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.1631666411.000001957589F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1553194946.000001957388E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1667396913.00000195758A1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false		unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.1598404575.000001956E23E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1701020550.000001956E243000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1517925429.000001956E23E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.2687050748.00000253BD486000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2686966928.000001EECD38F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.1681633140.000001956BB9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1689162942.000001956BB9A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.1690113065.000001956B6F3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.1646259208.000001956E118000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mathiasbynens.be/notes/javascript-escapes#single	firefox.exe, 0000000E.00000003.1635027944.0000019573974000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1616352551.0000019573974000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1637878427.0000019573974000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.1667436285.0000019575854000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1631666411.0000019575853000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.1488713885.000001956A357000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1486446845.000001956A33A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483537605.000001956A100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1492809624.000001956A373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1485240889.000001956A31E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.1657324881.00000195734E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1633923369.00000195734E9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.1663535748.0000019573D70000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.1527859135.000001956E125000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.1656320233.000001956BF90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1488713885.000001956A357000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1486446845.000001956A33A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483537605.000001956A100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1492809624.000001956A373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1625224704.000001956C47A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1485240889.000001956A31E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.1674970289.000001956CA56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1520393245.000001956CA3B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.1488713885.000001956A357000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1486446845.000001956A33A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483537605.000001956A100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1492809624.000001956A373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1485240889.000001956A31E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000E.00000003.1525083228.000001956BA39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.1674970289.000001956CA97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1673037308.000001956DCB0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.1528761657.000001956BD61000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.1681633140.000001956BB9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1689162942.000001956BB9A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.1663672175.0000019573D18000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l	firefox.exe, 0000000E.00000003.1681300435.000001956BBEA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.1646259208.000001956E118000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1675938723.000001956CA4D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	firefox.exe, 00000010.00000002.2686761860.00000292934C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2687050748.00000253BD4F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2690249145.000001EECD603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2687050748.00000253BD403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2686966928.000001EECD30C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.1555372749.000001956B452000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.1669964073.0000019572A9B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.1690113065.000001956B6F3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.1663672175.0000019573D18000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000013.00000002.2686966928.000001EECD3C4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.1665775622.0000019572768000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.1555372749.000001956B452000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.1592225524.000001956C2A6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.1633432012.0000019573DE4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.1657324881.00000195734E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1633923369.00000195734E9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.1680520183.000001956BF55000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000010.00000002.2686761860.00000292934C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2687050748.00000253BD4F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2690249145.000001EECD603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.1646259208.000001956E118000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2687050748.00000253BD412000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2686966928.000001EECD313000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.1690113065.000001956B6F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000013.00000002.2686414926.000001EECD1E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/CN=The	firefox.exe, 00000013.00000002.2686966928.000001EECD313000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000010.00000002.2686761860.0000029293472000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.1527859135.000001956E125000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.1663723441.0000019572A8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1670157104.0000019572A8E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.1643024643.000001956C2B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1672738705.000001956E0F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1548832909.000001956C4C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1598404575.000001956E21C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1655123551.000001956E145000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1640883079.000001956E1AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1649070836.000001956CE2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1592225524.000001956C2E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1512959238.000001956DDE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1628826098.000001956C45E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1616049518.00000195739CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1519805223.000001956E1B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1593307614.000001956A1A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1613942032.0000019573905000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1660833889.000001956BBAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1616352551.000001957396A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1594489275.000001956C0B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1494176726.000001956A367000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1635888707.000001957390A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1699595024.000001957380A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1634364434.00000195739D2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.1646809987.000001956D9A3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.1646809987.000001956D9A3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.1640883079.000001956E1AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1519805223.000001956E1B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1527859135.000001956E1AA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.1640883079.000001956E1AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1519805223.000001956E1B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1527859135.000001956E1AA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.1663723441.0000019572A8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1670157104.0000019572A8E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.1598404575.000001956E23E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1701020550.000001956E243000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1517925429.000001956E23E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.1690220864.000001956B6B5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.1494474114.0000019568C33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1495798538.0000019568C33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1495425999.0000019568C19000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.1680242138.000001956BFDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1656320233.000001956BFD7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mathiasbynens.be/	firefox.exe, 0000000E.00000003.1635027944.0000019573974000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1616352551.0000019573974000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1637878427.0000019573974000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.1674552094.000001956CE67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1648845313.000001956CE58000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.1555372749.000001956B452000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.1494474114.0000019568C33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1495798538.0000019568C33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1495425999.0000019568C19000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.1663672175.0000019573D18000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.1666370084.000001956E346000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1519805223.000001956E1E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.1690113065.000001956B6F3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.1668424352.0000019573E50000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.2689620419.0000029293500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2686127924.00000253BD360000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2689965087.000001EECD500000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.1485240889.000001956A31E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/search	firefox.exe, 0000000E.00000003.1656320233.000001956BF90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1488713885.000001956A357000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1486446845.000001956A33A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483537605.000001956A100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1492809624.000001956A373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1625224704.000001956C47A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1485240889.000001956A31E000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
52.222.236.80	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
216.58.206.46	youtube.com	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.251.32.110	unknown	United States	15169	GOOGLEUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1529419
Start date and time:	2024-10-09 00:18:56 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@67/13
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.242.27.108, 44.224.63.42, 44.238.148.23, 142.250.185.174, 2.22.61.56, 2.22.61.59, 142.250.185.238, 216.58.206.78, 172.217.18.10, 142.250.181.234
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
18:20:05	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
52.222.236.80	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	18.245.162.100
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	https://paa9eki.fitutend.com/p0wh/	Get hash	malicious	HTMLPhisher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	https://shoutout.wix.com/so/68P9j4pbc/c?w=YIpy_LmKpeOuRTcqEasLgbctjTenhex96yD397bZU04.eyJ1IjoiaHR0cHM6Ly9maWxlc3NoYXJlcy5naXRodWIuaW8vYXJ1dHkvIiwiciI6IjU3ZWU5MDNjLTU1YjktNDMxYS0zNDRiLWUzZjYxNjRhN2I0MiIsIm0iOiJtYWlsIiwiYyI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	https://climate-consultant.informer.com/6.0/	Get hash	malicious	Unknown	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Remittance_Regulvar.htm	Get hash	malicious	Unknown	Browse	34.117.239.71
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
AMAZON-02US	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	https://link-karix.unifiedrml.com/link/load/?uid=66f149a6a2cee777918b45c2-66f14b565f7b47ad77e978c0-66f14b0aa2cee705a28b4575&uri=https%3A%2F%2Fbluworldusabluworldusa.jimdofree.com/	Get hash	malicious	HTMLPhisher	Browse	52.215.95.29
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	https://paa9eki.fitutend.com/p0wh/	Get hash	malicious	HTMLPhisher	Browse	18.193.37.153
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFnDa0TAMLVO9WtBTyYEZqZA-3DPrnv_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOmYNN4Eos0I-2F5FhDJBI4w4qadztSYeu4ugOMJrD5ZJ3NK5HbR-2B5js4EjZpFmlZJIJ2eepX0b1t3SsV5gyIJGc7CJjeC8X5Wxzv49-2FqOYJzl5qBXpr-2BWwAW7G6cWDOqZN4YK73LjV4xBBNvL9fcHX0SM3SHQjbhXBuKD0dh5WqiuRgt8l7OsZEvxy8UkJaur7KIBjJyVTij7zCSJnYd6mjsUFQl8fAjX9eSOEGKjy2XWh8GHa2xi9VgTVCxGMcn7gM-3D	Get hash	malicious	Unknown	Browse	13.224.189.17
	file.exe	Get hash	malicious	Credential Flusher	Browse	18.245.162.100
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.149.100.209
	https://link-karix.unifiedrml.com/link/load/?uid=66f149a6a2cee777918b45c2-66f14b565f7b47ad77e978c0-66f14b0aa2cee705a28b4575&uri=https%3A%2F%2Fbluworldusabluworldusa.jimdofree.com/	Get hash	malicious	HTMLPhisher	Browse	34.149.254.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://shoutout.wix.com/so/68P9j4pbc/c?w=YIpy_LmKpeOuRTcqEasLgbctjTenhex96yD397bZU04.eyJ1IjoiaHR0cHM6Ly9maWxlc3NoYXJlcy5naXRodWIuaW8vYXJ1dHkvIiwiciI6IjU3ZWU5MDNjLTU1YjktNDMxYS0zNDRiLWUzZjYxNjRhN2I0MiIsIm0iOiJtYWlsIiwiYyI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9	Get hash	malicious	HTMLPhisher	Browse	34.149.206.255

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.251.32.110 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.251.32.110 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.251.32.110 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.251.32.110 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.251.32.110 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.251.32.110 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.251.32.110 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.251.32.110 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.251.32.110 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.251.32.110 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c34f7ffa-8b78-4b9e-b500-910b29bb531a.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8056
Entropy (8bit):	5.183854171378535
Encrypted:	false
SSDEEP:	192:x99wMiP7scbhbVbTbfbRbObtbyEl7nQNuJA6unSrDtTkdmS3:x9bdcNhnzFSJwNN1nSrDhkdmW
MD5:	29407FF149BD434AAA38DC6530603925
SHA1:	9C84150A894AA93516CAA4EF2061E04A86C1E944
SHA-256:	4566088E5B614EC04BB4D62EE8A8F555B3E2ED268DF2C646AF62BEE6E118C894
SHA-512:	D4C572C416267D0EC3FAFD3C869985785FC6F1C18B36228F0E7CB13D7EC585B461523D5FC401A96A1E4587505B42B714645A9D064B0BA50945D71440989A22E0
Malicious:	false
Preview:	{"type":"uninstall","id":"c34f7ffa-8b78-4b9e-b500-910b29bb531a","creationDate":"2024-10-08T23:53:05.332Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"965729a8-84e4-4cad-a75d-ac8181902c4b","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c34f7ffa-8b78-4b9e-b500-910b29bb531a.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8056
Entropy (8bit):	5.183854171378535
Encrypted:	false
SSDEEP:	192:x99wMiP7scbhbVbTbfbRbObtbyEl7nQNuJA6unSrDtTkdmS3:x9bdcNhnzFSJwNN1nSrDhkdmW
MD5:	29407FF149BD434AAA38DC6530603925
SHA1:	9C84150A894AA93516CAA4EF2061E04A86C1E944
SHA-256:	4566088E5B614EC04BB4D62EE8A8F555B3E2ED268DF2C646AF62BEE6E118C894
SHA-512:	D4C572C416267D0EC3FAFD3C869985785FC6F1C18B36228F0E7CB13D7EC585B461523D5FC401A96A1E4587505B42B714645A9D064B0BA50945D71440989A22E0
Malicious:	false
Preview:	{"type":"uninstall","id":"c34f7ffa-8b78-4b9e-b500-910b29bb531a","creationDate":"2024-10-08T23:53:05.332Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"965729a8-84e4-4cad-a75d-ac8181902c4b","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6150
Entropy (8bit):	4.9390377433078765
Encrypted:	false
SSDEEP:	192:7LFS+O1U6OdwiOdEiVoslH5jV/ZiwBhZ08jzLTX8P:N5dimslH5jVhiwBrK
MD5:	70272E635AC6868AC905088C4361DF91
SHA1:	9BFF90D7DE39D65E534F6DE410AC3FC57685B2A0
SHA-256:	D6A674EBCE2A88416EF52920BB1AB719E072963E20FB075D3E6067E2916BBF31
SHA-512:	76702CCA04FB99347352176651CCCB02497A09EE4BF0A4C22604FE8EC0F306008F17A343E2ECB7999C40D7E8FFCFCB7A7E57A7C8399721F1CD4BD24A28F1773F
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"fbda1f9b-e03c-4207-94bb-3e5ec8a299dc","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T08:19:30.130Z","featureIds":["bookmarks"],"prefs":[],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"cdbde02e-86fb-4899-ad8a-776106784576","experimentType":"r

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6150
Entropy (8bit):	4.9390377433078765
Encrypted:	false
SSDEEP:	192:7LFS+O1U6OdwiOdEiVoslH5jV/ZiwBhZ08jzLTX8P:N5dimslH5jVhiwBrK
MD5:	70272E635AC6868AC905088C4361DF91
SHA1:	9BFF90D7DE39D65E534F6DE410AC3FC57685B2A0
SHA-256:	D6A674EBCE2A88416EF52920BB1AB719E072963E20FB075D3E6067E2916BBF31
SHA-512:	76702CCA04FB99347352176651CCCB02497A09EE4BF0A4C22604FE8EC0F306008F17A343E2ECB7999C40D7E8FFCFCB7A7E57A7C8399721F1CD4BD24A28F1773F
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"fbda1f9b-e03c-4207-94bb-3e5ec8a299dc","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T08:19:30.130Z","featureIds":["bookmarks"],"prefs":[],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"cdbde02e-86fb-4899-ad8a-776106784576","experimentType":"r

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5320
Entropy (8bit):	6.6042106566953995
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMggiA:zTx2x2t0FDJ4NpkuvjdeplTMp
MD5:	E3E09D3A459131D9A796509E2B74622E
SHA1:	5EA797BF89A9F3FA6D145C5050B65A5789D26684
SHA-256:	56940DF1F209C1289E1FCBDB353AA3308581F3469325BC01584C3C8CC86E09C9
SHA-512:	7F0DA23EC0F97E0D58DB3B6DB6D2FFBAC077847B8C460F18F03CFA0611B313C6A32854E2F8904443DF257960C6FA81F4B1D19409E489488D49963962E338486F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5320
Entropy (8bit):	6.6042106566953995
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMggiA:zTx2x2t0FDJ4NpkuvjdeplTMp
MD5:	E3E09D3A459131D9A796509E2B74622E
SHA1:	5EA797BF89A9F3FA6D145C5050B65A5789D26684
SHA-256:	56940DF1F209C1289E1FCBDB353AA3308581F3469325BC01584C3C8CC86E09C9
SHA-512:	7F0DA23EC0F97E0D58DB3B6DB6D2FFBAC077847B8C460F18F03CFA0611B313C6A32854E2F8904443DF257960C6FA81F4B1D19409E489488D49963962E338486F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185849187264327
Encrypted:	false
SSDEEP:	768:0I4nvfwkXU4y6f4k4oB4a4IPN84I4/4uw4J424qF4g:0NPa45
MD5:	6C3BE83A836C11F0781A28C5C276611E
SHA1:	826B42D0E82A04A59A96150A478A9C63172B7506
SHA-256:	FB38EDAD3460F248967331080F6C398248DBC215D16E4BAB3E31CE260E1176B7
SHA-512:	EA67C9DF14F00A17C3044EE63DAFA9E7FA9A4B0F04A4D98CC19F2C9794D6D9A215323E13AD354AF60DE1F31288C565EE4455CFE3B9B8F2877DEF20A4151D4921
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{fc425cd7-ddd8-48c7-9e11-c0b9f650e5fa}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185849187264327
Encrypted:	false
SSDEEP:	768:0I4nvfwkXU4y6f4k4oB4a4IPN84I4/4uw4J424qF4g:0NPa45
MD5:	6C3BE83A836C11F0781A28C5C276611E
SHA1:	826B42D0E82A04A59A96150A478A9C63172B7506
SHA-256:	FB38EDAD3460F248967331080F6C398248DBC215D16E4BAB3E31CE260E1176B7
SHA-512:	EA67C9DF14F00A17C3044EE63DAFA9E7FA9A4B0F04A4D98CC19F2C9794D6D9A215323E13AD354AF60DE1F31288C565EE4455CFE3B9B8F2877DEF20A4151D4921
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{fc425cd7-ddd8-48c7-9e11-c0b9f650e5fa}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07330202630493711
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki6:DLhesh7Owd4+ji
MD5:	4E30A382460DFA69DFF2355A99597248
SHA1:	6B67E9D7D44B9E8C4D6F66E83FD64D4F2BDC1197
SHA-256:	C7716646B779DB262E00C9DBBC95E7F2EC571C593FC31B74F0C3B06CAD4F7E4C
SHA-512:	5E592C755CBF8656E2D8A5598086AEE8CA166FDBA5622EB81805017BF1BD08E72384C15D7F428A68118CF0EB4A3D8679BFD0FE8C43D1E90E6466F2376B45F17B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035737944707653645
Encrypted:	false
SSDEEP:	3:GtlstFCEpJ0A8xYkWl3lstFCEpJ0A8xYk789//alEl:GtWtAEpJSeVl3WtAEpJSeC89XuM
MD5:	4F748B5EABB11AFFD286C90FDC7A25DE
SHA1:	3070B0E0821062BAECE51342F23F89818B727496
SHA-256:	97ABD40D8D9DA719294B267C3211B5E66EF77F3E25ACA355F1AB038EC8E963CC
SHA-512:	31657E24B5DD97B7A6E4D4549D28E7C5BB3A52EBB9874038BCB32EB9C694C3A027A7242339D852987BBBE4FBAB454A41778489226324DB8E6D38FD36396877F3
Malicious:	false
Preview:	..-.......................jN..u.cQ....Z.yfGY..D...-.......................jN..u.cQ....Z.yfGY..D.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03728292001678587
Encrypted:	false
SSDEEP:	3:Ol17tb9yqfG0AK5fw7Yl5N8aEJ/Nmhml8XW3R2:KRtb9ySi/Ehm93w
MD5:	64B2315DA600E45894A79D74127AF1CD
SHA1:	1B9FDE017812166239772D0811E94249E1CA80C4
SHA-256:	96E34AD39ADDF6A62708DA7F9770F7CCCB9F5D66B8C0FC7F2FFB13605DBB9F42
SHA-512:	F50FE9F9B535EE85906B0E321290D615E3C54E7711F98361B80FEED60CE60AE4B721FD438CD5425CAB79A4F2411E26D933AF4C834CAAC5B8F03CDF57EEF31C62
Malicious:	false
Preview:	7....-..........cQ....Z..Tv.^I.........cQ....Z.Nj...u..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	modified
Size (bytes):	13820
Entropy (8bit):	5.4684407755128115
Encrypted:	false
SSDEEP:	192:NzpneRdIYbBp69nmUzaXe6aRxYKWPaLK5RDNBw8d99mSl:Nz/eKmUyMpDmrwyw0
MD5:	EBACB9AEEC8CBD1CC8F6E8724466F45E
SHA1:	19C96E9CF890FF796EE259B382526944F5489E02
SHA-256:	8D5C0DA6A56B3A8D6318663E6289E8769AD593FC2DDB88E70D266E6AA9923D4E
SHA-512:	D887A3C10EE80E6422E39DE027F95ED183DAC78E7F990E1687EB26ED102814C70FE09D5F33CFA19149BCFF4BA3141525A02183C5D9C1202BD7E50B60FE11790B
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "38829aa4-f57e-4fd8-bfd3-d094d57ae30f");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728431555);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728431555);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728431555);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172843

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	13820
Entropy (8bit):	5.4684407755128115
Encrypted:	false
SSDEEP:	192:NzpneRdIYbBp69nmUzaXe6aRxYKWPaLK5RDNBw8d99mSl:Nz/eKmUyMpDmrwyw0
MD5:	EBACB9AEEC8CBD1CC8F6E8724466F45E
SHA1:	19C96E9CF890FF796EE259B382526944F5489E02
SHA-256:	8D5C0DA6A56B3A8D6318663E6289E8769AD593FC2DDB88E70D266E6AA9923D4E
SHA-512:	D887A3C10EE80E6422E39DE027F95ED183DAC78E7F990E1687EB26ED102814C70FE09D5F33CFA19149BCFF4BA3141525A02183C5D9C1202BD7E50B60FE11790B
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "38829aa4-f57e-4fd8-bfd3-d094d57ae30f");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728431555);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728431555);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728431555);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172843

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1562
Entropy (8bit):	6.335593915670693
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSFx0f/LXnIgJ/pnxQwRlszT5sKDqQALU3eHVY+qo+pTQJamhujJvyd:GUpOxYGf/rnR6rKU3epfyTo4JaNIHe
MD5:	FB20BF3CE86C04E3A57D85BC75D0E315
SHA1:	5447902B26688A745F926FAE2C8FD2E1DA6B8834
SHA-256:	C313EC907A0456F4E0038C55D099A9BA109F4AA6AE1FD8FF1389EA881FC734B2
SHA-512:	965AC8A68DCABCB7360A6B45BAD183302661C2FCD711997FE7A796AFFC952A17332399C3800FD44825BE15782390D953071132B6BD717818EF798FBA16F54142
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{04478734-427a-4c2b-b6a1-24696287f2d0}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728431560223,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...890d5fc3-0c4c-4214-a93a-b8e730a022a1","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P25024...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A4a32081674711da8c0af7e7198f4a549116c7011a74775b8dc2ae1b10b859df4","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...32238,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1562
Entropy (8bit):	6.335593915670693
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSFx0f/LXnIgJ/pnxQwRlszT5sKDqQALU3eHVY+qo+pTQJamhujJvyd:GUpOxYGf/rnR6rKU3epfyTo4JaNIHe
MD5:	FB20BF3CE86C04E3A57D85BC75D0E315
SHA1:	5447902B26688A745F926FAE2C8FD2E1DA6B8834
SHA-256:	C313EC907A0456F4E0038C55D099A9BA109F4AA6AE1FD8FF1389EA881FC734B2
SHA-512:	965AC8A68DCABCB7360A6B45BAD183302661C2FCD711997FE7A796AFFC952A17332399C3800FD44825BE15782390D953071132B6BD717818EF798FBA16F54142
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{04478734-427a-4c2b-b6a1-24696287f2d0}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728431560223,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...890d5fc3-0c4c-4214-a93a-b8e730a022a1","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P25024...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A4a32081674711da8c0af7e7198f4a549116c7011a74775b8dc2ae1b10b859df4","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...32238,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1562
Entropy (8bit):	6.335593915670693
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSFx0f/LXnIgJ/pnxQwRlszT5sKDqQALU3eHVY+qo+pTQJamhujJvyd:GUpOxYGf/rnR6rKU3epfyTo4JaNIHe
MD5:	FB20BF3CE86C04E3A57D85BC75D0E315
SHA1:	5447902B26688A745F926FAE2C8FD2E1DA6B8834
SHA-256:	C313EC907A0456F4E0038C55D099A9BA109F4AA6AE1FD8FF1389EA881FC734B2
SHA-512:	965AC8A68DCABCB7360A6B45BAD183302661C2FCD711997FE7A796AFFC952A17332399C3800FD44825BE15782390D953071132B6BD717818EF798FBA16F54142
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{04478734-427a-4c2b-b6a1-24696287f2d0}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728431560223,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...890d5fc3-0c4c-4214-a93a-b8e730a022a1","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P25024...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A4a32081674711da8c0af7e7198f4a549116c7011a74775b8dc2ae1b10b859df4","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...32238,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.010977327558591
Encrypted:	false
SSDEEP:	48:YrSAYv/HfudxUQZpExB1+anOpWZOVhFu1VuWxzzcsYMsku7f86SLAVL7DV9F5FtY:ycHfMTEr5RXxzzcBvbw6KkjVrrc2Rn27
MD5:	4C96D2E239F8CD17EC9DF1F7FA8A76E4
SHA1:	FE028B84DB5947C9B94B66DAB0A44DE01E6EA234
SHA-256:	66901453EC9F716F69B1F9F0D7D02CE385747665C34663E13F16FCEC40DD2F32
SHA-512:	71F8725AB2E1FA3C2D0D95034241ED7A02262E6B85346776CE2CFD5A5726AE17D3CB4D7F75C22188E30A815A0277C4084ECCD966F4D6DB5A960339492CA0CDF7
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-08T23:52:19.759Z","profileAgeCreated":1696493964214,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.010977327558591
Encrypted:	false
SSDEEP:	48:YrSAYv/HfudxUQZpExB1+anOpWZOVhFu1VuWxzzcsYMsku7f86SLAVL7DV9F5FtY:ycHfMTEr5RXxzzcBvbw6KkjVrrc2Rn27
MD5:	4C96D2E239F8CD17EC9DF1F7FA8A76E4
SHA1:	FE028B84DB5947C9B94B66DAB0A44DE01E6EA234
SHA-256:	66901453EC9F716F69B1F9F0D7D02CE385747665C34663E13F16FCEC40DD2F32
SHA-512:	71F8725AB2E1FA3C2D0D95034241ED7A02262E6B85346776CE2CFD5A5726AE17D3CB4D7F75C22188E30A815A0277C4084ECCD966F4D6DB5A960339492CA0CDF7
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-08T23:52:19.759Z","profileAgeCreated":1696493964214,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.583378146970548
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'040 bytes
MD5:	88f5ee9048198b17b68c8c960b6888ce
SHA1:	d0e82acbd32a243dd71532c07dc2c0b3058f05a3
SHA256:	c5f4d028a2f24deaf15cfb7f0113caea6b5ab0b92b6bc8137fb28b2bb9b4f31d
SHA512:	1d43b60b063ccf3ca3145669f08f117873a83b6391d40abc04b986d99e7140dca1deb48d711761860a0fd8eace74108897659dad9cd048add98977cd77df6c36
SSDEEP:	12288:tqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaxTZ:tqDEvCTbMWu7rQYlBQcBiT6rprG8aFZ
TLSH:	EB159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6705AECB [Tue Oct 8 22:14:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F4B88CDF393h
jmp 00007F4B88CDEC9Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4B88CDEE7Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4B88CDEE4Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F4B88CE1A3Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F4B88CE1A88h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F4B88CE1A71h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9a34	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9a34	0x9c00	f2847329f4a705de1c5e4304dd8fca2c	False	0.30651542467948717	data	5.327314763252031	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xcfc	data			1.003309265944645
RT_GROUP_ICON	0xdd4b4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd52c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd540	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd554	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd568	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd644	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 9, 2024 00:20:03.015038967 CEST	49711	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:03.015086889 CEST	443	49711	35.190.72.216	192.168.2.8
Oct 9, 2024 00:20:03.015464067 CEST	49712	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:03.015500069 CEST	443	49712	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:03.015594006 CEST	49713	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:03.015660048 CEST	443	49713	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:03.020356894 CEST	49712	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:03.020360947 CEST	49713	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:03.020397902 CEST	49711	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:03.035820007 CEST	49711	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:03.035836935 CEST	443	49711	35.190.72.216	192.168.2.8
Oct 9, 2024 00:20:03.037326097 CEST	49713	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:03.037348032 CEST	443	49713	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:03.038721085 CEST	49712	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:03.038738966 CEST	443	49712	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:03.046380997 CEST	49714	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:03.054620981 CEST	80	49714	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:03.054711103 CEST	49714	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:03.054835081 CEST	49714	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:03.061227083 CEST	80	49714	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:04.040502071 CEST	80	49714	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:04.040661097 CEST	80	49714	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:04.041527033 CEST	80	49714	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:04.045084000 CEST	49714	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:04.045197010 CEST	49714	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:04.045397043 CEST	49714	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:04.050834894 CEST	443	49712	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:04.050856113 CEST	443	49713	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:04.052212000 CEST	443	49713	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:04.052227020 CEST	443	49712	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:04.052274942 CEST	443	49711	35.190.72.216	192.168.2.8
Oct 9, 2024 00:20:04.054527044 CEST	49712	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:04.054543018 CEST	443	49712	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:04.054553986 CEST	49713	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:04.054570913 CEST	443	49713	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:04.065656900 CEST	49712	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:04.065674067 CEST	49711	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:04.101933956 CEST	49711	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:04.101955891 CEST	443	49711	35.190.72.216	192.168.2.8
Oct 9, 2024 00:20:04.101994038 CEST	49713	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:04.102015972 CEST	443	49713	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:04.102206945 CEST	49713	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:04.102307081 CEST	49711	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:04.102334023 CEST	443	49713	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:04.102360964 CEST	49712	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:04.102385044 CEST	443	49712	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:04.102463961 CEST	49712	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:04.102602959 CEST	443	49712	216.58.206.46	192.168.2.8
Oct 9, 2024 00:20:04.102628946 CEST	443	49711	35.190.72.216	192.168.2.8
Oct 9, 2024 00:20:04.103037119 CEST	49712	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:04.103219986 CEST	49713	443	192.168.2.8	216.58.206.46
Oct 9, 2024 00:20:04.103221893 CEST	49711	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:04.282721043 CEST	49715	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.282767057 CEST	443	49715	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:04.283093929 CEST	49716	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.283140898 CEST	443	49716	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:04.283329964 CEST	49715	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.283340931 CEST	49716	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.284807920 CEST	49715	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.284822941 CEST	443	49715	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:04.286187887 CEST	49716	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.286196947 CEST	443	49716	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:04.289108038 CEST	49717	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:04.289144039 CEST	443	49717	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:04.289484024 CEST	49717	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:04.289484024 CEST	49717	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:04.289514065 CEST	443	49717	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:04.291189909 CEST	80	49714	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:04.291245937 CEST	49714	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:04.307245016 CEST	49718	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:04.307904005 CEST	49719	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:04.307940960 CEST	443	49719	34.160.144.191	192.168.2.8
Oct 9, 2024 00:20:04.308093071 CEST	49719	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:04.308223963 CEST	49719	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:04.308239937 CEST	443	49719	34.160.144.191	192.168.2.8
Oct 9, 2024 00:20:04.313575029 CEST	80	49718	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:04.313836098 CEST	49718	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:04.313983917 CEST	49718	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:04.320185900 CEST	80	49718	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:04.815234900 CEST	443	49716	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:04.818095922 CEST	49716	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.831765890 CEST	443	49717	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:04.831836939 CEST	49717	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:04.833436012 CEST	80	49718	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:04.839924097 CEST	443	49715	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:04.840503931 CEST	49715	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.846157074 CEST	443	49719	34.160.144.191	192.168.2.8
Oct 9, 2024 00:20:04.846224070 CEST	49719	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:04.861263037 CEST	49717	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:04.861278057 CEST	443	49717	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:04.861612082 CEST	443	49717	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:04.863935947 CEST	49719	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:04.863966942 CEST	443	49719	34.160.144.191	192.168.2.8
Oct 9, 2024 00:20:04.864238977 CEST	443	49719	34.160.144.191	192.168.2.8
Oct 9, 2024 00:20:04.871273041 CEST	49716	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.871315002 CEST	443	49716	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:04.871351957 CEST	49716	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.871606112 CEST	443	49716	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:04.873428106 CEST	49715	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.873447895 CEST	443	49715	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:04.873528004 CEST	49717	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:04.873697996 CEST	443	49715	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:04.873982906 CEST	49717	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:04.873986006 CEST	443	49717	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:04.874017000 CEST	443	49717	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:04.874032974 CEST	49715	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.874039888 CEST	443	49715	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:04.877507925 CEST	49719	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:04.877607107 CEST	49719	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:04.877661943 CEST	443	49719	34.160.144.191	192.168.2.8
Oct 9, 2024 00:20:04.878041983 CEST	49721	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:04.878082037 CEST	443	49721	34.160.144.191	192.168.2.8
Oct 9, 2024 00:20:04.878490925 CEST	49717	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:04.878505945 CEST	49719	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:04.878520012 CEST	49716	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.878598928 CEST	49717	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:04.878604889 CEST	49715	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.878616095 CEST	49718	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:04.880925894 CEST	49719	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:04.880944967 CEST	49717	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:04.880975008 CEST	49721	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:04.881195068 CEST	49721	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:04.881211996 CEST	443	49721	34.160.144.191	192.168.2.8
Oct 9, 2024 00:20:04.919270992 CEST	49718	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:04.921761990 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:04.925704956 CEST	49723	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.925743103 CEST	443	49723	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:04.925862074 CEST	80	49718	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:04.928231001 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:04.932720900 CEST	49718	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:04.932737112 CEST	49723	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.932749987 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:04.934195995 CEST	49723	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:04.934211969 CEST	443	49723	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:04.934339046 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:04.940485001 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:05.337759018 CEST	443	49721	34.160.144.191	192.168.2.8
Oct 9, 2024 00:20:05.339081049 CEST	49721	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:05.342339993 CEST	49721	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:05.342350960 CEST	443	49721	34.160.144.191	192.168.2.8
Oct 9, 2024 00:20:05.342664957 CEST	443	49721	34.160.144.191	192.168.2.8
Oct 9, 2024 00:20:05.344912052 CEST	49721	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:05.344974995 CEST	49721	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:05.345088005 CEST	443	49721	34.160.144.191	192.168.2.8
Oct 9, 2024 00:20:05.346016884 CEST	49721	443	192.168.2.8	34.160.144.191
Oct 9, 2024 00:20:05.387257099 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:05.400263071 CEST	443	49723	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:05.400279045 CEST	443	49723	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:05.400698900 CEST	49723	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:05.431427002 CEST	49723	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:05.431452036 CEST	443	49723	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:05.431503057 CEST	49723	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:05.431725979 CEST	443	49723	34.117.188.166	192.168.2.8
Oct 9, 2024 00:20:05.432216883 CEST	49723	443	192.168.2.8	34.117.188.166
Oct 9, 2024 00:20:05.435317993 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:05.641056061 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:05.641128063 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:05.761754036 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:05.768030882 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:05.769968987 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:05.771315098 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:05.778176069 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:06.237304926 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:06.291728973 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:06.301870108 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:06.306706905 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:06.467591047 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:06.507981062 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:06.824799061 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:07.125361919 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:07.143564939 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:07.143574953 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:07.236007929 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:07.269499063 CEST	49727	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:07.269535065 CEST	443	49727	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:07.270142078 CEST	49727	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:07.271697998 CEST	49727	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:07.271712065 CEST	443	49727	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:07.279059887 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:07.341799021 CEST	49728	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:07.341845036 CEST	443	49728	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:07.342185974 CEST	49728	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:07.342310905 CEST	49728	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:07.342319965 CEST	443	49728	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:07.483040094 CEST	49729	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:07.483088970 CEST	443	49729	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:07.495352983 CEST	49729	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:07.496970892 CEST	49729	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:07.496984005 CEST	443	49729	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:07.594608068 CEST	49730	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:07.594650030 CEST	443	49730	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:07.597656965 CEST	49730	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:07.598839998 CEST	49730	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:07.598860025 CEST	443	49730	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:07.749826908 CEST	443	49727	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:07.752970934 CEST	49727	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:07.757524014 CEST	49727	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:07.757536888 CEST	443	49727	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:07.757740974 CEST	443	49727	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:07.757777929 CEST	49727	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:07.757786036 CEST	443	49727	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:07.758341074 CEST	49727	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:07.818742037 CEST	443	49728	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:07.818834066 CEST	49728	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:07.821600914 CEST	49728	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:07.821611881 CEST	443	49728	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:07.822395086 CEST	443	49728	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:07.823791027 CEST	49728	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:07.823869944 CEST	49728	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:07.824197054 CEST	443	49728	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:07.824255943 CEST	49728	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:07.974199057 CEST	443	49729	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:07.974216938 CEST	443	49729	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:07.974339962 CEST	49729	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:07.978919029 CEST	49729	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:07.978933096 CEST	443	49729	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:07.979011059 CEST	49729	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:07.979187965 CEST	443	49729	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:07.979248047 CEST	49729	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:08.074640036 CEST	443	49730	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:08.074764013 CEST	49730	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:08.079293013 CEST	49730	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:08.079329014 CEST	443	49730	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:08.079370022 CEST	49730	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:08.079663038 CEST	443	49730	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:08.079758883 CEST	49730	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:09.889465094 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:10.017716885 CEST	49731	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:10.017752886 CEST	443	49731	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:10.023485899 CEST	49732	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:10.023524046 CEST	443	49732	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:10.029380083 CEST	49731	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:10.029598951 CEST	49732	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:10.031014919 CEST	49731	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:10.031029940 CEST	443	49731	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:10.031181097 CEST	49732	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:10.031196117 CEST	443	49732	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:10.116055965 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:10.416924953 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:10.733324051 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:10.733957052 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:10.734102011 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:10.736826897 CEST	49733	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:10.736854076 CEST	443	49733	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:10.736907005 CEST	49733	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:10.738357067 CEST	49733	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:10.738373995 CEST	443	49733	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:10.826531887 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:10.877166033 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:11.227034092 CEST	443	49732	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:11.227420092 CEST	49732	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:11.230257034 CEST	49732	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:11.230273962 CEST	443	49732	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:11.230545044 CEST	443	49732	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:11.232947111 CEST	49732	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:11.233025074 CEST	49732	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:11.233109951 CEST	443	49732	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:11.233165979 CEST	49732	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:11.234613895 CEST	443	49731	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:11.234632969 CEST	443	49731	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:11.234759092 CEST	49731	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:11.235105991 CEST	443	49733	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:11.235351086 CEST	49733	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:11.306559086 CEST	49731	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:11.306581974 CEST	443	49731	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:11.306643963 CEST	49731	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:11.306757927 CEST	49733	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:11.306780100 CEST	443	49733	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:11.306814909 CEST	443	49731	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:11.306823969 CEST	49733	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:11.306941986 CEST	49731	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:11.307013035 CEST	443	49733	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:11.307137012 CEST	49733	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:14.604150057 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:14.609009981 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:14.641967058 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:14.646768093 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:14.650873899 CEST	49739	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:14.650913000 CEST	443	49739	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:14.655064106 CEST	49739	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:14.657006979 CEST	49739	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:14.657018900 CEST	443	49739	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:14.702065945 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:14.736761093 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:14.748841047 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:14.786595106 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:14.950897932 CEST	49740	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:14.950930119 CEST	443	49740	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:14.951855898 CEST	49741	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:14.951915026 CEST	443	49741	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:14.952086926 CEST	49742	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:14.952095032 CEST	443	49742	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:14.952601910 CEST	49743	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:14.952609062 CEST	443	49743	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:14.953866959 CEST	49741	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:14.953867912 CEST	49740	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:14.953993082 CEST	49740	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:14.953994989 CEST	49742	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:14.953994989 CEST	49743	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:14.954004049 CEST	443	49740	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:14.954144001 CEST	49741	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:14.954168081 CEST	443	49741	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:14.954216003 CEST	49742	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:14.954227924 CEST	443	49742	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:14.955611944 CEST	49743	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:14.955624104 CEST	443	49743	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:14.959393024 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:14.963618994 CEST	49744	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:14.963651896 CEST	443	49744	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:14.963809967 CEST	49744	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:14.963809967 CEST	49744	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:14.963841915 CEST	443	49744	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:14.966022968 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:15.059488058 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:15.103034973 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:15.127091885 CEST	443	49739	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.127413034 CEST	49739	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.292893887 CEST	49739	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.292916059 CEST	443	49739	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.293112040 CEST	49739	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.293188095 CEST	443	49739	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.293277025 CEST	49739	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.408586979 CEST	443	49740	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.410119057 CEST	443	49743	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:15.411870003 CEST	443	49741	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.413727045 CEST	49740	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.413799047 CEST	49743	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:15.414133072 CEST	49741	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.416572094 CEST	49740	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.416577101 CEST	443	49740	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.416810036 CEST	443	49740	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.419084072 CEST	49741	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.419090033 CEST	443	49741	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.419370890 CEST	443	49741	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.419804096 CEST	443	49742	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.420171976 CEST	49742	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.420897961 CEST	443	49744	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:15.423141956 CEST	49742	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.423146963 CEST	443	49742	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.423388958 CEST	443	49742	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.426105022 CEST	49744	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:15.428637028 CEST	49744	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:15.428668976 CEST	443	49744	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:15.428895950 CEST	443	49744	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:15.429012060 CEST	49740	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.429200888 CEST	443	49740	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.429656029 CEST	49740	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.429662943 CEST	443	49740	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.429831982 CEST	49741	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.430052996 CEST	443	49741	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.430062056 CEST	49743	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:15.430078983 CEST	443	49743	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:15.430109024 CEST	49741	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.430239916 CEST	443	49743	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:15.430321932 CEST	49741	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.430330992 CEST	443	49741	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.430377960 CEST	49743	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:15.430383921 CEST	443	49743	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:15.430728912 CEST	49742	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.430876017 CEST	49742	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.430881023 CEST	443	49742	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.430891991 CEST	443	49742	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.431862116 CEST	49744	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:15.431907892 CEST	49744	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:15.432034969 CEST	443	49744	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:15.432065964 CEST	49742	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.432183027 CEST	49744	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:15.635407925 CEST	443	49743	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:15.635776043 CEST	49743	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:15.639467001 CEST	443	49740	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:15.639677048 CEST	49740	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:15.680990934 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:15.688158035 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:15.777575016 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:15.842875004 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:16.047080040 CEST	49745	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.047126055 CEST	443	49745	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:16.047678947 CEST	49745	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.047827959 CEST	49745	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.047842979 CEST	443	49745	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:16.107666969 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:16.108374119 CEST	49746	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.108418941 CEST	443	49746	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:16.109452963 CEST	49746	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.110836983 CEST	49746	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.110855103 CEST	443	49746	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:16.114036083 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:16.219654083 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:16.275279999 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:16.518301010 CEST	443	49745	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:16.518378973 CEST	49745	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.597295046 CEST	443	49746	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:16.605875015 CEST	49746	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.840795040 CEST	49745	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.840816975 CEST	443	49745	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:16.841166973 CEST	443	49745	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:16.848061085 CEST	49745	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.848184109 CEST	49745	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.848288059 CEST	443	49745	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:16.848479033 CEST	49745	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.849113941 CEST	49746	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.849123955 CEST	443	49746	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:16.849208117 CEST	49746	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:16.849571943 CEST	443	49746	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:16.849807978 CEST	49746	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:17.205991983 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:17.212327003 CEST	49747	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:17.212378979 CEST	443	49747	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:17.212888956 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:17.214111090 CEST	49747	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:17.215852022 CEST	49747	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:17.215873003 CEST	443	49747	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:17.302740097 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:17.362857103 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:17.569886923 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:17.575268030 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:17.668706894 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:17.701412916 CEST	443	49747	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:17.701509953 CEST	49747	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:17.710653067 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:18.106328964 CEST	49747	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:18.106350899 CEST	443	49747	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:18.106437922 CEST	49747	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:18.106678009 CEST	443	49747	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:18.107081890 CEST	49747	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:19.628691912 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:19.634738922 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:19.724745989 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:19.769881964 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:20.072973967 CEST	49748	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:20.073014021 CEST	443	49748	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:20.074595928 CEST	49748	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:20.076108932 CEST	49748	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:20.076118946 CEST	443	49748	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:20.081449032 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:20.133675098 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:20.226922989 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:20.271368980 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:20.587785006 CEST	443	49748	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:20.588171959 CEST	49748	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:20.593028069 CEST	49748	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:20.593028069 CEST	49748	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:20.593044043 CEST	443	49748	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:20.593301058 CEST	443	49748	34.120.208.123	192.168.2.8
Oct 9, 2024 00:20:20.594223976 CEST	49748	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:20:20.888104916 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:20.893908024 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:20.983546972 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:20.986344099 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:20.992204905 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:21.043414116 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:21.085630894 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:21.142733097 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:25.994487047 CEST	49749	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:25.994529009 CEST	443	49749	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:25.994699955 CEST	49749	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:25.996098995 CEST	49749	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:25.996119976 CEST	443	49749	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:26.484267950 CEST	443	49749	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:26.484441996 CEST	49749	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:26.489188910 CEST	49749	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:26.489202976 CEST	443	49749	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:26.489392996 CEST	443	49749	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:26.489415884 CEST	49749	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:26.489434958 CEST	443	49749	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:26.491970062 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:26.498986006 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:26.588124037 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:26.591666937 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:26.598479033 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:26.635701895 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:26.691771984 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:26.699414968 CEST	443	49749	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:26.699465990 CEST	49749	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:26.735960960 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:29.945689917 CEST	49750	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:29.945750952 CEST	443	49750	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:29.946279049 CEST	49750	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:29.946427107 CEST	49750	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:29.946434021 CEST	443	49750	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:29.965709925 CEST	49751	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:29.965739965 CEST	443	49751	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:29.965853930 CEST	49751	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:29.966046095 CEST	49751	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:29.966065884 CEST	443	49751	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:29.968261957 CEST	49752	443	192.168.2.8	52.222.236.80
Oct 9, 2024 00:20:29.968302965 CEST	443	49752	52.222.236.80	192.168.2.8
Oct 9, 2024 00:20:29.968566895 CEST	49752	443	192.168.2.8	52.222.236.80
Oct 9, 2024 00:20:29.968686104 CEST	49752	443	192.168.2.8	52.222.236.80
Oct 9, 2024 00:20:29.968703032 CEST	443	49752	52.222.236.80	192.168.2.8
Oct 9, 2024 00:20:30.002094984 CEST	49753	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:30.002144098 CEST	443	49753	35.190.72.216	192.168.2.8
Oct 9, 2024 00:20:30.005963087 CEST	49753	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:30.007543087 CEST	49753	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:30.007563114 CEST	443	49753	35.190.72.216	192.168.2.8
Oct 9, 2024 00:20:30.023550034 CEST	49754	443	192.168.2.8	35.201.103.21
Oct 9, 2024 00:20:30.023580074 CEST	443	49754	35.201.103.21	192.168.2.8
Oct 9, 2024 00:20:30.026290894 CEST	49754	443	192.168.2.8	35.201.103.21
Oct 9, 2024 00:20:30.027843952 CEST	49754	443	192.168.2.8	35.201.103.21
Oct 9, 2024 00:20:30.027858973 CEST	443	49754	35.201.103.21	192.168.2.8
Oct 9, 2024 00:20:30.418494940 CEST	443	49750	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:30.418585062 CEST	49750	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.422369003 CEST	443	49751	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:30.422890902 CEST	49750	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.422902107 CEST	443	49750	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:30.423149109 CEST	443	49750	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:30.425226927 CEST	49750	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.425379992 CEST	49750	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.425380945 CEST	443	49750	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:30.425391912 CEST	443	49750	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:30.427402973 CEST	443	49751	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:30.430655956 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:30.431359053 CEST	49750	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.431375980 CEST	49750	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.431375980 CEST	49750	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.432054043 CEST	49751	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.435410976 CEST	49751	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.435425043 CEST	443	49751	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:30.435600996 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:30.435790062 CEST	443	49751	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:30.437777042 CEST	49751	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.437952995 CEST	49751	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.437973022 CEST	443	49751	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:30.439238071 CEST	49751	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.439238071 CEST	49751	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.480622053 CEST	443	49753	35.190.72.216	192.168.2.8
Oct 9, 2024 00:20:30.480710983 CEST	49753	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:30.485191107 CEST	49753	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:30.485208035 CEST	443	49753	35.190.72.216	192.168.2.8
Oct 9, 2024 00:20:30.485373020 CEST	443	49753	35.190.72.216	192.168.2.8
Oct 9, 2024 00:20:30.485481024 CEST	49753	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:30.485490084 CEST	443	49753	35.190.72.216	192.168.2.8
Oct 9, 2024 00:20:30.490945101 CEST	443	49754	35.201.103.21	192.168.2.8
Oct 9, 2024 00:20:30.491014957 CEST	49754	443	192.168.2.8	35.201.103.21
Oct 9, 2024 00:20:30.495088100 CEST	49754	443	192.168.2.8	35.201.103.21
Oct 9, 2024 00:20:30.495110035 CEST	443	49754	35.201.103.21	192.168.2.8
Oct 9, 2024 00:20:30.495250940 CEST	49754	443	192.168.2.8	35.201.103.21
Oct 9, 2024 00:20:30.495367050 CEST	443	49754	35.201.103.21	192.168.2.8
Oct 9, 2024 00:20:30.496831894 CEST	49754	443	192.168.2.8	35.201.103.21
Oct 9, 2024 00:20:30.499692917 CEST	49755	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.499725103 CEST	443	49755	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:30.499852896 CEST	49755	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.499978065 CEST	49755	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.499989986 CEST	443	49755	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:30.525355101 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:30.528908968 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:30.534434080 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:30.578504086 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:30.627695084 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:30.668693066 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:30.691401005 CEST	443	49753	35.190.72.216	192.168.2.8
Oct 9, 2024 00:20:30.691478968 CEST	49753	443	192.168.2.8	35.190.72.216
Oct 9, 2024 00:20:30.710560083 CEST	443	49752	52.222.236.80	192.168.2.8
Oct 9, 2024 00:20:30.710930109 CEST	49752	443	192.168.2.8	52.222.236.80
Oct 9, 2024 00:20:30.715404034 CEST	49752	443	192.168.2.8	52.222.236.80
Oct 9, 2024 00:20:30.715416908 CEST	443	49752	52.222.236.80	192.168.2.8
Oct 9, 2024 00:20:30.715650082 CEST	443	49752	52.222.236.80	192.168.2.8
Oct 9, 2024 00:20:30.718185902 CEST	49752	443	192.168.2.8	52.222.236.80
Oct 9, 2024 00:20:30.718290091 CEST	49752	443	192.168.2.8	52.222.236.80
Oct 9, 2024 00:20:30.718338966 CEST	443	49752	52.222.236.80	192.168.2.8
Oct 9, 2024 00:20:30.718803883 CEST	49752	443	192.168.2.8	52.222.236.80
Oct 9, 2024 00:20:30.728153944 CEST	49756	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.728193045 CEST	443	49756	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:30.728480101 CEST	49756	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.728580952 CEST	49756	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.728593111 CEST	443	49756	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:30.730582952 CEST	49757	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.730634928 CEST	443	49757	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:30.731431961 CEST	49757	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.731558084 CEST	49757	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.731566906 CEST	443	49757	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:30.733012915 CEST	49758	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.733023882 CEST	443	49758	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:30.733494997 CEST	49758	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.733612061 CEST	49758	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:30.733623028 CEST	443	49758	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:30.735224962 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:30.741491079 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:30.831765890 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:30.835402012 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:30.842093945 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:30.879503965 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:30.935743093 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:30.979376078 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:30.985997915 CEST	443	49755	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:30.986176014 CEST	49755	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.990621090 CEST	49755	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.990632057 CEST	443	49755	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:30.990873098 CEST	443	49755	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:30.993244886 CEST	49755	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.993426085 CEST	443	49755	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:30.993432999 CEST	49755	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.993441105 CEST	443	49755	34.149.100.209	192.168.2.8
Oct 9, 2024 00:20:30.994534969 CEST	49755	443	192.168.2.8	34.149.100.209
Oct 9, 2024 00:20:30.996387959 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:31.002976894 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:31.092550993 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:31.095885992 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:31.102349043 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:31.133205891 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:31.194341898 CEST	443	49757	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.194572926 CEST	49757	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.195811987 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:31.197137117 CEST	49757	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.197148085 CEST	443	49757	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.197374105 CEST	443	49757	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.199064016 CEST	443	49758	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.199207067 CEST	49758	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.201459885 CEST	49758	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.201466084 CEST	443	49758	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.201689959 CEST	443	49758	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.202008963 CEST	49757	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.202142000 CEST	443	49757	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.202234030 CEST	49757	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.202241898 CEST	443	49757	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.204822063 CEST	49758	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.204898119 CEST	49758	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.204967976 CEST	443	49758	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.206907034 CEST	49758	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.206923962 CEST	49758	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.206934929 CEST	49757	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.207921982 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:31.214692116 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:31.235141993 CEST	443	49756	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.235408068 CEST	49756	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.237915039 CEST	49756	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.237921000 CEST	443	49756	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.238162994 CEST	443	49756	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.240210056 CEST	49756	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.240387917 CEST	443	49756	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.240622044 CEST	49756	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:31.240627050 CEST	443	49756	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.248985052 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:31.304383993 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:31.307394981 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:31.314109087 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:31.349288940 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:31.409063101 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:31.449558020 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:31.451404095 CEST	443	49756	35.244.181.201	192.168.2.8
Oct 9, 2024 00:20:31.451730967 CEST	49756	443	192.168.2.8	35.244.181.201
Oct 9, 2024 00:20:41.309015036 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:41.314050913 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:41.431454897 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:41.436537027 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:44.729741096 CEST	63563	443	192.168.2.8	142.251.32.110
Oct 9, 2024 00:20:44.729782104 CEST	443	63563	142.251.32.110	192.168.2.8
Oct 9, 2024 00:20:44.729849100 CEST	63563	443	192.168.2.8	142.251.32.110
Oct 9, 2024 00:20:44.730146885 CEST	63563	443	192.168.2.8	142.251.32.110
Oct 9, 2024 00:20:44.730156898 CEST	443	63563	142.251.32.110	192.168.2.8
Oct 9, 2024 00:20:45.234354973 CEST	443	63563	142.251.32.110	192.168.2.8
Oct 9, 2024 00:20:45.234436989 CEST	63563	443	192.168.2.8	142.251.32.110
Oct 9, 2024 00:20:45.235130072 CEST	443	63563	142.251.32.110	192.168.2.8
Oct 9, 2024 00:20:45.235177994 CEST	63563	443	192.168.2.8	142.251.32.110
Oct 9, 2024 00:20:45.238359928 CEST	63563	443	192.168.2.8	142.251.32.110
Oct 9, 2024 00:20:45.238369942 CEST	443	63563	142.251.32.110	192.168.2.8
Oct 9, 2024 00:20:45.238612890 CEST	443	63563	142.251.32.110	192.168.2.8
Oct 9, 2024 00:20:45.241025925 CEST	63563	443	192.168.2.8	142.251.32.110
Oct 9, 2024 00:20:45.241131067 CEST	63563	443	192.168.2.8	142.251.32.110
Oct 9, 2024 00:20:45.241188049 CEST	443	63563	142.251.32.110	192.168.2.8
Oct 9, 2024 00:20:45.241327047 CEST	63563	443	192.168.2.8	142.251.32.110
Oct 9, 2024 00:20:45.246990919 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:45.251830101 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:45.342262030 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:45.345366001 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:45.350317955 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:45.389771938 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:45.443284988 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:45.489636898 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:46.551220894 CEST	63564	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:46.551260948 CEST	443	63564	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:46.551634073 CEST	63564	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:46.553261042 CEST	63564	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:46.553277969 CEST	443	63564	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:47.040779114 CEST	443	63564	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:47.040858984 CEST	63564	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:47.045237064 CEST	63564	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:47.045248985 CEST	443	63564	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:47.045352936 CEST	63564	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:47.045682907 CEST	443	63564	34.107.243.93	192.168.2.8
Oct 9, 2024 00:20:47.046962023 CEST	63564	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:20:47.050792933 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:47.057018995 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:47.147092104 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:47.150497913 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:47.156848907 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:47.194231033 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:47.250580072 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:47.294508934 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:57.154422045 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:57.161144972 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:20:57.254749060 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:20:57.260584116 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:00.162408113 CEST	63566	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.162434101 CEST	443	63566	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.162693024 CEST	63567	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.162719011 CEST	443	63567	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.163439035 CEST	63566	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.163609028 CEST	63566	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.163609028 CEST	63567	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.163619041 CEST	443	63566	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.164144039 CEST	63567	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.164154053 CEST	443	63567	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.169684887 CEST	63568	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.169724941 CEST	443	63568	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.169962883 CEST	63569	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.169962883 CEST	63570	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.169997931 CEST	443	63569	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.170011044 CEST	443	63570	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.171587944 CEST	63571	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.171606064 CEST	443	63571	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.171916008 CEST	63568	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.171926975 CEST	63569	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.171926975 CEST	63570	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.172055960 CEST	63571	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.172223091 CEST	63568	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.172235012 CEST	443	63568	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.172416925 CEST	63570	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.172429085 CEST	443	63570	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.172472000 CEST	63569	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.172487974 CEST	443	63569	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.172550917 CEST	63571	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.172561884 CEST	443	63571	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.629237890 CEST	443	63569	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.629411936 CEST	63569	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.631174088 CEST	443	63571	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.631696939 CEST	63571	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.631807089 CEST	443	63568	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.631876945 CEST	63568	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.632143974 CEST	443	63567	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.632266998 CEST	63567	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.632802963 CEST	63569	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.632827997 CEST	443	63569	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.633066893 CEST	443	63569	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.635406971 CEST	63567	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.635417938 CEST	443	63567	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.635699034 CEST	443	63567	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.637631893 CEST	63568	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.637639046 CEST	443	63568	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.637886047 CEST	443	63568	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.639971018 CEST	63571	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.639983892 CEST	443	63571	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.640265942 CEST	443	63571	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.641571999 CEST	443	63566	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.641896963 CEST	63566	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.643408060 CEST	443	63570	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.644465923 CEST	63566	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.644476891 CEST	443	63566	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.644714117 CEST	443	63566	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.644730091 CEST	63570	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.647367954 CEST	63570	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.647382021 CEST	443	63570	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.647680044 CEST	443	63570	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.650753975 CEST	63569	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.650929928 CEST	443	63569	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.651093960 CEST	63569	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.651103020 CEST	443	63569	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.651307106 CEST	63569	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.651307106 CEST	63567	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.651367903 CEST	63568	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.651494980 CEST	443	63567	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.651504040 CEST	443	63568	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.651885033 CEST	63568	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.651890993 CEST	443	63568	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.652045965 CEST	63571	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.652071953 CEST	63567	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.652080059 CEST	443	63567	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.652267933 CEST	443	63571	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.652463913 CEST	63571	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.652470112 CEST	443	63571	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.653290033 CEST	63572	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.653326988 CEST	443	63572	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.653568983 CEST	63573	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.653600931 CEST	443	63573	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.654375076 CEST	63566	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.654453039 CEST	63566	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.654536009 CEST	443	63566	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.655674934 CEST	63570	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.655750990 CEST	63570	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.656121969 CEST	443	63570	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.656394958 CEST	63571	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.656441927 CEST	63566	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.656469107 CEST	63572	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.656475067 CEST	63570	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.656475067 CEST	63573	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.656610966 CEST	63572	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.656621933 CEST	443	63572	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.656683922 CEST	63573	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.656697989 CEST	443	63573	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.680541039 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:00.686727047 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:00.777695894 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:00.820204020 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:00.826786995 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:00.834168911 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:00.859400988 CEST	443	63567	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.860398054 CEST	63567	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.863395929 CEST	443	63568	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:00.863955021 CEST	63568	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:00.919976950 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:00.965706110 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:01.131983042 CEST	443	63573	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:01.133126020 CEST	63573	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:01.135029078 CEST	443	63572	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:01.147407055 CEST	443	63572	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:01.147458076 CEST	63572	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:01.147583961 CEST	63572	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:01.149108887 CEST	63573	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:01.149141073 CEST	443	63573	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:01.149538040 CEST	443	63573	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:01.152002096 CEST	63572	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:01.152017117 CEST	443	63572	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:01.152313948 CEST	443	63572	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:01.156322956 CEST	63573	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:01.156483889 CEST	63573	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:01.156694889 CEST	443	63573	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:01.157531023 CEST	63572	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:01.157593012 CEST	63572	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:01.157766104 CEST	443	63572	34.120.208.123	192.168.2.8
Oct 9, 2024 00:21:01.163747072 CEST	63572	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:01.163824081 CEST	63573	443	192.168.2.8	34.120.208.123
Oct 9, 2024 00:21:01.183610916 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:01.190120935 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:01.281306982 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:01.308471918 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:01.315289974 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:01.335603952 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:01.411402941 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:01.451523066 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:01.675580978 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:01.675632954 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:09.886799097 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:09.894103050 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:09.983669043 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:09.986459017 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:09.993520021 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:10.029730082 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:10.086879969 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:10.130096912 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:19.989326954 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:19.995616913 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:20.089653969 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:20.096303940 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:27.074327946 CEST	63672	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:21:27.074368954 CEST	443	63672	34.107.243.93	192.168.2.8
Oct 9, 2024 00:21:27.074626923 CEST	63672	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:21:27.075962067 CEST	63672	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:21:27.075988054 CEST	443	63672	34.107.243.93	192.168.2.8
Oct 9, 2024 00:21:27.553786039 CEST	443	63672	34.107.243.93	192.168.2.8
Oct 9, 2024 00:21:27.553894043 CEST	63672	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:21:27.557324886 CEST	63672	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:21:27.557342052 CEST	443	63672	34.107.243.93	192.168.2.8
Oct 9, 2024 00:21:27.557430029 CEST	63672	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:21:27.557661057 CEST	443	63672	34.107.243.93	192.168.2.8
Oct 9, 2024 00:21:27.558533907 CEST	63672	443	192.168.2.8	34.107.243.93
Oct 9, 2024 00:21:27.560465097 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:27.565337896 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:27.655673981 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:27.658801079 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:27.663824081 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:27.711411953 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:27.757920027 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:27.811660051 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:37.656114101 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:37.661137104 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:37.772000074 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:37.776859999 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:47.669236898 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:47.674483061 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:47.785221100 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:47.790237904 CEST	80	49725	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:57.682483912 CEST	49722	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:57.689100027 CEST	80	49722	34.107.221.82	192.168.2.8
Oct 9, 2024 00:21:57.798261881 CEST	49725	80	192.168.2.8	34.107.221.82
Oct 9, 2024 00:21:57.803292036 CEST	80	49725	34.107.221.82	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 9, 2024 00:20:02.989949942 CEST	61125	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:02.990242958 CEST	63226	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:02.999485970 CEST	53	61125	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:03.015722036 CEST	60129	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:03.021471977 CEST	54289	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:03.021657944 CEST	57093	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:03.023886919 CEST	53	60129	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:03.029732943 CEST	53	54289	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:03.029917955 CEST	53	57093	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:03.032705069 CEST	55328	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:03.034086943 CEST	64730	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:03.034336090 CEST	57091	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:03.043028116 CEST	53	64730	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:03.043592930 CEST	53	55328	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:03.043637037 CEST	53	57091	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:03.768969059 CEST	58409	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.021295071 CEST	49666	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.057954073 CEST	60352	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.062263012 CEST	58415	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.281793118 CEST	53	58409	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:04.281805038 CEST	53	49666	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:04.283505917 CEST	50617	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.283881903 CEST	49292	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.288455963 CEST	53	58415	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:04.288822889 CEST	53	60352	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:04.289484978 CEST	54515	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.292217016 CEST	53	50617	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:04.292237043 CEST	53	49292	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:04.292943001 CEST	49435	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.293324947 CEST	65122	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.297532082 CEST	53	54515	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:04.298223019 CEST	53819	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.298979044 CEST	62795	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.302438974 CEST	53	49435	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:04.302500963 CEST	53	65122	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:04.303919077 CEST	52816	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.307183027 CEST	53	62795	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:04.308054924 CEST	55887	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.312448978 CEST	53	52816	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:04.316663980 CEST	53	55887	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:04.319411039 CEST	60757	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:04.328110933 CEST	53	60757	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:07.083408117 CEST	63737	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:07.139413118 CEST	60327	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:07.148019075 CEST	53	60327	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:07.154835939 CEST	49727	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:07.161905050 CEST	53	49727	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:07.164535046 CEST	50164	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:07.171248913 CEST	53	64696	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:07.171551943 CEST	53	50164	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:07.279927969 CEST	63607	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:07.286977053 CEST	53	63607	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:07.287707090 CEST	60711	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:07.294781923 CEST	53	60711	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:07.295403004 CEST	58799	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:07.302659988 CEST	53	58799	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:07.483653069 CEST	56994	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:07.490504980 CEST	53	56994	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:07.497987032 CEST	53408	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:07.505563021 CEST	53	53408	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:07.585709095 CEST	56464	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:07.592561007 CEST	53	56464	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:07.595405102 CEST	56882	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:07.603064060 CEST	53	56882	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:07.604482889 CEST	50302	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:07.613322020 CEST	53	50302	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.583988905 CEST	50783	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.583988905 CEST	60719	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.583988905 CEST	58426	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.590799093 CEST	53	60719	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.591176987 CEST	53	50783	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.591792107 CEST	53	58426	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.600023031 CEST	64850	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.602848053 CEST	61319	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.603295088 CEST	51566	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.606977940 CEST	53	64850	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.609070063 CEST	53106	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.609684944 CEST	53	61319	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.610097885 CEST	53	51566	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.611409903 CEST	63124	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.611409903 CEST	61432	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.615878105 CEST	53	53106	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.616395950 CEST	49789	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.618308067 CEST	53	61432	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.618632078 CEST	53	63124	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.618906021 CEST	54954	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.623286009 CEST	53	49789	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.624420881 CEST	59143	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.625626087 CEST	53	54954	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.626116991 CEST	58638	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.631417990 CEST	53	59143	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.632879019 CEST	53	58638	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.633160114 CEST	65331	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.633588076 CEST	61103	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.640394926 CEST	53	65331	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.640405893 CEST	53	61103	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.651560068 CEST	50549	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.658411026 CEST	53	50549	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:14.957277060 CEST	64052	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:14.966008902 CEST	53	64052	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:20.073884964 CEST	51003	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:20.135600090 CEST	53	51003	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:25.994599104 CEST	58487	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:26.003281116 CEST	53	58487	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:26.694400072 CEST	64418	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:26.703408957 CEST	53	64418	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:29.946151018 CEST	53030	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:29.955420971 CEST	53	53030	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:29.959857941 CEST	64166	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:29.964243889 CEST	55062	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:29.967439890 CEST	53	64166	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:29.968518972 CEST	63403	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:29.970999002 CEST	53	55062	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:29.977402925 CEST	53	63403	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:29.977915049 CEST	58350	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:29.984939098 CEST	53	58350	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:30.009763002 CEST	64617	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:30.016648054 CEST	53	64617	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:30.024290085 CEST	50206	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:30.031306982 CEST	53	50206	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:30.040462971 CEST	60116	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:30.047727108 CEST	53	60116	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:44.249227047 CEST	53	64417	1.1.1.1	192.168.2.8
Oct 9, 2024 00:20:46.551553965 CEST	65197	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:20:46.559448957 CEST	53	65197	1.1.1.1	192.168.2.8
Oct 9, 2024 00:21:00.185305119 CEST	54104	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:21:00.196549892 CEST	53	54104	1.1.1.1	192.168.2.8
Oct 9, 2024 00:21:01.184361935 CEST	51056	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:21:27.066493034 CEST	65498	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:21:27.073402882 CEST	53	65498	1.1.1.1	192.168.2.8
Oct 9, 2024 00:21:27.074183941 CEST	65309	53	192.168.2.8	1.1.1.1
Oct 9, 2024 00:21:27.080888033 CEST	53	65309	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 9, 2024 00:20:02.989949942 CEST	192.168.2.8	1.1.1.1	0x5435	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:02.990242958 CEST	192.168.2.8	1.1.1.1	0x6ab4	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:03.015722036 CEST	192.168.2.8	1.1.1.1	0xea8	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:03.021471977 CEST	192.168.2.8	1.1.1.1	0xbcf8	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:03.021657944 CEST	192.168.2.8	1.1.1.1	0xec1	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:03.032705069 CEST	192.168.2.8	1.1.1.1	0x6b2a	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 9, 2024 00:20:03.034086943 CEST	192.168.2.8	1.1.1.1	0xd329	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 9, 2024 00:20:03.034336090 CEST	192.168.2.8	1.1.1.1	0xcf7	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 9, 2024 00:20:03.768969059 CEST	192.168.2.8	1.1.1.1	0x250	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.021295071 CEST	192.168.2.8	1.1.1.1	0x583a	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.057954073 CEST	192.168.2.8	1.1.1.1	0x7530	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.062263012 CEST	192.168.2.8	1.1.1.1	0x2052	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.283505917 CEST	192.168.2.8	1.1.1.1	0x1eb6	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.283881903 CEST	192.168.2.8	1.1.1.1	0xffd5	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.289484978 CEST	192.168.2.8	1.1.1.1	0x8788	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.292943001 CEST	192.168.2.8	1.1.1.1	0x486e	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 9, 2024 00:20:04.293324947 CEST	192.168.2.8	1.1.1.1	0x51b	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 9, 2024 00:20:04.298223019 CEST	192.168.2.8	1.1.1.1	0x312a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.298979044 CEST	192.168.2.8	1.1.1.1	0x309b	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.303919077 CEST	192.168.2.8	1.1.1.1	0xd701	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 9, 2024 00:20:04.308054924 CEST	192.168.2.8	1.1.1.1	0x8d05	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.319411039 CEST	192.168.2.8	1.1.1.1	0xa814	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 9, 2024 00:20:07.083408117 CEST	192.168.2.8	1.1.1.1	0xcd66	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.139413118 CEST	192.168.2.8	1.1.1.1	0xd20e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.154835939 CEST	192.168.2.8	1.1.1.1	0xb773	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.164535046 CEST	192.168.2.8	1.1.1.1	0xb86	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 9, 2024 00:20:07.279927969 CEST	192.168.2.8	1.1.1.1	0xd226	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.287707090 CEST	192.168.2.8	1.1.1.1	0x7f4a	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.295403004 CEST	192.168.2.8	1.1.1.1	0x8e31	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 9, 2024 00:20:07.483653069 CEST	192.168.2.8	1.1.1.1	0xef71	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.497987032 CEST	192.168.2.8	1.1.1.1	0x586d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 9, 2024 00:20:07.585709095 CEST	192.168.2.8	1.1.1.1	0x7e7d	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.595405102 CEST	192.168.2.8	1.1.1.1	0x6141	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.604482889 CEST	192.168.2.8	1.1.1.1	0xdfcb	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 9, 2024 00:20:14.583988905 CEST	192.168.2.8	1.1.1.1	0xc544	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.583988905 CEST	192.168.2.8	1.1.1.1	0xffaf	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.583988905 CEST	192.168.2.8	1.1.1.1	0x6970	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.600023031 CEST	192.168.2.8	1.1.1.1	0x127b	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.602848053 CEST	192.168.2.8	1.1.1.1	0xc9d	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.603295088 CEST	192.168.2.8	1.1.1.1	0xa4af	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.609070063 CEST	192.168.2.8	1.1.1.1	0xb679	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 9, 2024 00:20:14.611409903 CEST	192.168.2.8	1.1.1.1	0xe3fb	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 9, 2024 00:20:14.611409903 CEST	192.168.2.8	1.1.1.1	0xadf2	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 9, 2024 00:20:14.616395950 CEST	192.168.2.8	1.1.1.1	0xa54d	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.618906021 CEST	192.168.2.8	1.1.1.1	0xec0c	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.624420881 CEST	192.168.2.8	1.1.1.1	0x1ca7	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.626116991 CEST	192.168.2.8	1.1.1.1	0x8913	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.633160114 CEST	192.168.2.8	1.1.1.1	0x91eb	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 9, 2024 00:20:14.633588076 CEST	192.168.2.8	1.1.1.1	0xb708	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 9, 2024 00:20:14.651560068 CEST	192.168.2.8	1.1.1.1	0x2d7e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 9, 2024 00:20:14.957277060 CEST	192.168.2.8	1.1.1.1	0x2dc4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 9, 2024 00:20:20.073884964 CEST	192.168.2.8	1.1.1.1	0x7815	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 9, 2024 00:20:25.994599104 CEST	192.168.2.8	1.1.1.1	0x65a9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 9, 2024 00:20:26.694400072 CEST	192.168.2.8	1.1.1.1	0xef17	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.946151018 CEST	192.168.2.8	1.1.1.1	0xecbd	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.959857941 CEST	192.168.2.8	1.1.1.1	0x8699	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.964243889 CEST	192.168.2.8	1.1.1.1	0xb77f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 9, 2024 00:20:29.968518972 CEST	192.168.2.8	1.1.1.1	0xd53	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.977915049 CEST	192.168.2.8	1.1.1.1	0x3158	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 9, 2024 00:20:30.009763002 CEST	192.168.2.8	1.1.1.1	0x4c7	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:30.024290085 CEST	192.168.2.8	1.1.1.1	0x8ae5	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:30.040462971 CEST	192.168.2.8	1.1.1.1	0x465b	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 9, 2024 00:20:46.551553965 CEST	192.168.2.8	1.1.1.1	0x8d39	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 9, 2024 00:21:00.185305119 CEST	192.168.2.8	1.1.1.1	0x4b45	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 9, 2024 00:21:01.184361935 CEST	192.168.2.8	1.1.1.1	0x6de9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:21:27.066493034 CEST	192.168.2.8	1.1.1.1	0x8518	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:21:27.074183941 CEST	192.168.2.8	1.1.1.1	0x2efb	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 9, 2024 00:20:02.999485970 CEST	1.1.1.1	192.168.2.8	0x5435	No error (0)	youtube.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:02.999538898 CEST	1.1.1.1	192.168.2.8	0x6ab4	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:02.999538898 CEST	1.1.1.1	192.168.2.8	0x6ab4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:02.999883890 CEST	1.1.1.1	192.168.2.8	0x319f	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:03.023886919 CEST	1.1.1.1	192.168.2.8	0xea8	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:03.029732943 CEST	1.1.1.1	192.168.2.8	0xbcf8	No error (0)	youtube.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:03.029917955 CEST	1.1.1.1	192.168.2.8	0xec1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:03.043028116 CEST	1.1.1.1	192.168.2.8	0xd329	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 9, 2024 00:20:03.043637037 CEST	1.1.1.1	192.168.2.8	0xcf7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 9, 2024 00:20:04.281793118 CEST	1.1.1.1	192.168.2.8	0x250	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.281805038 CEST	1.1.1.1	192.168.2.8	0x583a	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:04.281805038 CEST	1.1.1.1	192.168.2.8	0x583a	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.288377047 CEST	1.1.1.1	192.168.2.8	0x6df9	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:04.288377047 CEST	1.1.1.1	192.168.2.8	0x6df9	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.288455963 CEST	1.1.1.1	192.168.2.8	0x2052	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.288455963 CEST	1.1.1.1	192.168.2.8	0x2052	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.288822889 CEST	1.1.1.1	192.168.2.8	0x7530	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.292217016 CEST	1.1.1.1	192.168.2.8	0x1eb6	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.292237043 CEST	1.1.1.1	192.168.2.8	0xffd5	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.297532082 CEST	1.1.1.1	192.168.2.8	0x8788	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.306591034 CEST	1.1.1.1	192.168.2.8	0x312a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:04.306591034 CEST	1.1.1.1	192.168.2.8	0x312a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.307183027 CEST	1.1.1.1	192.168.2.8	0x309b	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:04.307183027 CEST	1.1.1.1	192.168.2.8	0x309b	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:04.307183027 CEST	1.1.1.1	192.168.2.8	0x309b	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.316663980 CEST	1.1.1.1	192.168.2.8	0x8d05	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:04.328110933 CEST	1.1.1.1	192.168.2.8	0xa814	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 9, 2024 00:20:07.145486116 CEST	1.1.1.1	192.168.2.8	0xcd66	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:07.148019075 CEST	1.1.1.1	192.168.2.8	0xd20e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.161905050 CEST	1.1.1.1	192.168.2.8	0xb773	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.286977053 CEST	1.1.1.1	192.168.2.8	0xd226	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:07.286977053 CEST	1.1.1.1	192.168.2.8	0xd226	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:07.286977053 CEST	1.1.1.1	192.168.2.8	0xd226	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.294781923 CEST	1.1.1.1	192.168.2.8	0x7f4a	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.340250015 CEST	1.1.1.1	192.168.2.8	0xc090	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:07.340250015 CEST	1.1.1.1	192.168.2.8	0xc090	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.477623940 CEST	1.1.1.1	192.168.2.8	0x4fe2	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.490504980 CEST	1.1.1.1	192.168.2.8	0xef71	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.592561007 CEST	1.1.1.1	192.168.2.8	0x7e7d	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:07.592561007 CEST	1.1.1.1	192.168.2.8	0x7e7d	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:07.603064060 CEST	1.1.1.1	192.168.2.8	0x6141	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:10.735892057 CEST	1.1.1.1	192.168.2.8	0x60d5	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.590799093 CEST	1.1.1.1	192.168.2.8	0xffaf	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:14.590799093 CEST	1.1.1.1	192.168.2.8	0xffaf	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591176987 CEST	1.1.1.1	192.168.2.8	0xc544	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591792107 CEST	1.1.1.1	192.168.2.8	0x6970	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:14.591792107 CEST	1.1.1.1	192.168.2.8	0x6970	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.606977940 CEST	1.1.1.1	192.168.2.8	0x127b	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.609684944 CEST	1.1.1.1	192.168.2.8	0xc9d	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.610097885 CEST	1.1.1.1	192.168.2.8	0xa4af	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.615878105 CEST	1.1.1.1	192.168.2.8	0xb679	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 9, 2024 00:20:14.618308067 CEST	1.1.1.1	192.168.2.8	0xadf2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 9, 2024 00:20:14.618308067 CEST	1.1.1.1	192.168.2.8	0xadf2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 9, 2024 00:20:14.618308067 CEST	1.1.1.1	192.168.2.8	0xadf2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 9, 2024 00:20:14.618308067 CEST	1.1.1.1	192.168.2.8	0xadf2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 9, 2024 00:20:14.618632078 CEST	1.1.1.1	192.168.2.8	0xe3fb	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 9, 2024 00:20:14.623286009 CEST	1.1.1.1	192.168.2.8	0xa54d	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:14.623286009 CEST	1.1.1.1	192.168.2.8	0xa54d	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.623286009 CEST	1.1.1.1	192.168.2.8	0xa54d	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.623286009 CEST	1.1.1.1	192.168.2.8	0xa54d	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.623286009 CEST	1.1.1.1	192.168.2.8	0xa54d	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.625626087 CEST	1.1.1.1	192.168.2.8	0xec0c	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.631417990 CEST	1.1.1.1	192.168.2.8	0x1ca7	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.631417990 CEST	1.1.1.1	192.168.2.8	0x1ca7	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.631417990 CEST	1.1.1.1	192.168.2.8	0x1ca7	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.631417990 CEST	1.1.1.1	192.168.2.8	0x1ca7	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:14.632879019 CEST	1.1.1.1	192.168.2.8	0x8913	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:26.703408957 CEST	1.1.1.1	192.168.2.8	0xef17	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.952985048 CEST	1.1.1.1	192.168.2.8	0x3e07	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:29.952985048 CEST	1.1.1.1	192.168.2.8	0x3e07	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.955420971 CEST	1.1.1.1	192.168.2.8	0xecbd	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.967439890 CEST	1.1.1.1	192.168.2.8	0x8699	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.967439890 CEST	1.1.1.1	192.168.2.8	0x8699	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.967439890 CEST	1.1.1.1	192.168.2.8	0x8699	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.967439890 CEST	1.1.1.1	192.168.2.8	0x8699	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.977402925 CEST	1.1.1.1	192.168.2.8	0xd53	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.977402925 CEST	1.1.1.1	192.168.2.8	0xd53	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.977402925 CEST	1.1.1.1	192.168.2.8	0xd53	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:29.977402925 CEST	1.1.1.1	192.168.2.8	0xd53	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:30.016648054 CEST	1.1.1.1	192.168.2.8	0x4c7	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:30.016648054 CEST	1.1.1.1	192.168.2.8	0x4c7	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:30.031306982 CEST	1.1.1.1	192.168.2.8	0x8ae5	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:20:31.255151033 CEST	1.1.1.1	192.168.2.8	0x9f38	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:20:31.255151033 CEST	1.1.1.1	192.168.2.8	0x9f38	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:21:00.170686007 CEST	1.1.1.1	192.168.2.8	0xda7d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:21:01.194041967 CEST	1.1.1.1	192.168.2.8	0x6de9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 00:21:01.194041967 CEST	1.1.1.1	192.168.2.8	0x6de9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 9, 2024 00:21:27.073402882 CEST	1.1.1.1	192.168.2.8	0x8518	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49714	34.107.221.82	80	3872	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 00:20:03.054835081 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:04.040502071 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 00:31:58 GMT Age: 78485 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:04.040661097 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 00:31:58 GMT Age: 78485 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:04.041527033 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 00:31:58 GMT Age: 78485 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49718	34.107.221.82	80	3872	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 00:20:04.313983917 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:04.833436012 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73286 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49722	34.107.221.82	80	3872	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 00:20:04.934339046 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:05.387257099 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70278 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:05.641056061 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70278 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:06.301870108 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:06.467591047 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70279 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:09.889465094 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:10.116055965 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:10.416924953 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:10.826531887 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70283 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:14.641967058 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:14.736761093 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70287 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:15.680990934 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:15.777575016 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70288 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:17.205991983 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:17.302740097 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70290 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:19.628691912 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:19.724745989 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70292 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:20.888104916 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:20.983546972 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70293 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:26.491970062 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:26.588124037 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70299 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:30.430655956 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:30.525355101 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70303 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:30.735224962 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:30.831765890 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70303 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:30.996387959 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:31.092550993 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70304 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:31.207921982 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:31.304383993 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70304 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:41.309015036 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 9, 2024 00:20:45.246990919 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:45.342262030 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70318 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:47.050792933 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:20:47.147092104 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70320 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:20:57.154422045 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 9, 2024 00:21:00.680541039 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:21:00.777695894 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70333 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:21:01.183610916 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:21:01.281306982 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70334 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:21:09.886799097 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:21:09.983669043 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70342 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:21:19.989326954 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 9, 2024 00:21:27.560465097 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 9, 2024 00:21:27.655673981 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 70360 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 9, 2024 00:21:37.656114101 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 9, 2024 00:21:47.669236898 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 9, 2024 00:21:57.682483912 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49725	34.107.221.82	80	3872	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 00:20:05.771315098 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:06.237304926 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73288 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:06.824799061 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:07.125361919 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:07.236007929 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73289 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:14.604150057 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:14.702065945 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73296 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:14.959393024 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:15.059488058 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73297 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:16.107666969 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:16.219654083 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73298 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:17.569886923 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:17.668706894 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73299 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:20.081449032 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:20.226922989 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73302 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:20.986344099 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:21.085630894 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73303 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:26.591666937 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:26.691771984 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73308 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:30.528908968 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:30.627695084 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73312 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:30.835402012 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:30.935743093 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73312 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:31.095885992 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:31.195811987 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73313 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:31.307394981 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:31.409063101 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73313 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:41.431454897 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 9, 2024 00:20:45.345366001 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:45.443284988 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73327 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:47.150497913 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:20:47.250580072 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73329 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:20:57.254749060 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 9, 2024 00:21:00.820204020 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:21:00.919976950 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73342 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:21:01.308471918 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:21:01.411402941 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73343 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:21:01.675580978 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73343 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:21:09.986459017 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:21:10.086879969 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73352 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:21:20.089653969 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 9, 2024 00:21:27.658801079 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 9, 2024 00:21:27.757920027 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 73369 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 9, 2024 00:21:37.772000074 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 9, 2024 00:21:47.785221100 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 9, 2024 00:21:57.798261881 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	18:19:54
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x60000
File size:	919'040 bytes
MD5 hash:	88F5EE9048198B17B68C8C960B6888CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1500954598.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:19:54
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xd30000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:19:54
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:19:56
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xd30000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:19:56
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:19:56
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xd30000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:19:56
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:19:57
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xd30000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:19:57
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:19:57
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xd30000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:19:57
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	18:19:57
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	18:19:57
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:19:57
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	18:19:58
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40f9ba66-06f4-4dab-9656-3072865229ba} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1955a66d510 socket
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	18:20:00
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3752 -parentBuildID 20230927232528 -prefsHandle 3756 -prefMapHandle 3516 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f0a60b9-2db6-4005-8263-e31f930ef023} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1955a68f610 rdd
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	18:20:06
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5172 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5148 -prefMapHandle 5132 -prefsLen 33353 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc30be76-9e45-4799-906d-b5fb74197779} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 19572772b10 utility
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1554
Total number of Limit Nodes:	64

Executed Functions

Function 000642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0006430D

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

GetCurrentProcess.KERNEL32(?,000FCB64,00000000,?,?), ref: 00064422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00064429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00064454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00064466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00064474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0006447B
GetSystemInfo.KERNEL32(?,?,?), ref: 000644A0

Strings

|O, xrefs: 000A36F8
GetNativeSystemInfo, xrefs: 00064460
kernel32.dll, xrefs: 0006444F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8b599484bb2bf9591ef3fb18f2395f0aa92ecacd85e3bfe5eaeb8ce81fd8f349
Instruction ID: c6359a1f82cf08c9295fbc6271acf4550ce653ec4f2e099f55adde3b5abd5ba0
Opcode Fuzzy Hash: 8b599484bb2bf9591ef3fb18f2395f0aa92ecacd85e3bfe5eaeb8ce81fd8f349
Instruction Fuzzy Hash: C2A1956290E3C4FFDB21C7AA7C425E97FE57B27360B089899E04197F22D63445C8DB21

Function 000642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,000650AA,?,?,00000000,00000000), ref: 000642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000650AA,?,?,00000000,00000000), ref: 000642C9
LoadResource.KERNEL32(?,00000000,?,?,000650AA,?,?,00000000,00000000,?,?,?,?,?,?,00064F20), ref: 000A35BE
SizeofResource.KERNEL32(?,00000000,?,?,000650AA,?,?,00000000,00000000,?,?,?,?,?,?,00064F20), ref: 000A35D3
LockResource.KERNEL32(000650AA,?,?,000650AA,?,?,00000000,00000000,?,?,?,?,?,?,00064F20,?), ref: 000A35E6

Strings

SCRIPT, xrefs: 000642BF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2a4ca5d373e7583968060b8d87c8a25dddc7a4fa1b4110980ceb43cc9023bdc7
Instruction ID: e2539644af72f15dff569fe1b50a9fe29805b8d65a7cc6cb7eb380a800419acb
Opcode Fuzzy Hash: 2a4ca5d373e7583968060b8d87c8a25dddc7a4fa1b4110980ceb43cc9023bdc7
Instruction Fuzzy Hash: 10117C70600705BFE7218BA5DD59F277BBAEFC5B51F204169F502D6650DB71DC10D620

Function 000A2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00062B6B

Part of subcall function 00063A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00131418,?,00062E7F,?,?,?,00000000), ref: 00063A78

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00122224), ref: 000A2C10
ShellExecuteW.SHELL32(00000000,?,?,00122224), ref: 000A2C17

Strings

runas, xrefs: 000A2C0B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: dbc3bd27f41f9037edb2558a825de70cc7968bc4f347c700959fd244831abdf7
Instruction ID: 1f2526f55df31a70251de8b92e99a578934708b2c60dbb055270adbc58abcd53
Opcode Fuzzy Hash: dbc3bd27f41f9037edb2558a825de70cc7968bc4f347c700959fd244831abdf7
Instruction Fuzzy Hash: 3711D031208345AAD714FF64E992DFEB7ABEB91350F44242DF082631A3CF358A49D752

Function 000CD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000CD501
Process32FirstW.KERNEL32(00000000,?), ref: 000CD50F
Process32NextW.KERNEL32(00000000,?), ref: 000CD52F
CloseHandle.KERNELBASE(00000000), ref: 000CD5DC

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 12204735b9315f1ba8cab5fdcb02aed531711bc4db6ce5a71c28bcf0ee2d7153
Instruction ID: 2b479dbbb824fcb10c06bb6c4fb000eff18093273e7167a05b647011b8814de2
Opcode Fuzzy Hash: 12204735b9315f1ba8cab5fdcb02aed531711bc4db6ce5a71c28bcf0ee2d7153
Instruction Fuzzy Hash: 963193711083009FE300EF54C881FAFBBE9EF99354F54052DF585971A2EB719944DBA2

Function 000CDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,000A5222), ref: 000CDBCE
GetFileAttributesW.KERNELBASE(?), ref: 000CDBDD
FindFirstFileW.KERNEL32(?,?), ref: 000CDBEE
FindClose.KERNEL32(00000000), ref: 000CDBFA

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 591735301761d066620ae417100c2a2dfa168140172e7b3a17932b33a26ec48f
Instruction ID: 6f767ab30114d38744b3bc4a2d8ef3f633eef9a38828fe363c56c58aff1a79eb
Opcode Fuzzy Hash: 591735301761d066620ae417100c2a2dfa168140172e7b3a17932b33a26ec48f
Instruction Fuzzy Hash: 76F0A03081091997A2206B78AE4EDBE37AC9F42334B10471BF836C24E0EBB46D54D695

Function 00084CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000928E9,?,00084CBE,000928E9,001288B8,0000000C,00084E15,000928E9,00000002,00000000,?,000928E9), ref: 00084D09
TerminateProcess.KERNEL32(00000000,?,00084CBE,000928E9,001288B8,0000000C,00084E15,000928E9,00000002,00000000,?,000928E9), ref: 00084D10
ExitProcess.KERNEL32 ref: 00084D22

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bab83bffbee25bd3e92e4caa718f59c00e68a0fb4e11e81d9f1b43f3be8f2263
Instruction ID: 3084b8cd93d8c8bb1dd5a306335c81b34f98c80223f27841dc33ee027a87a58b
Opcode Fuzzy Hash: bab83bffbee25bd3e92e4caa718f59c00e68a0fb4e11e81d9f1b43f3be8f2263
Instruction Fuzzy Hash: D7E0B631000249ABEF12BF54DE0AEA87B69FB41781B118014FC458A523CB39EE52EB80

Function 000EAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 000EB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000EB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000EB1D4
_wcslen.LIBCMT ref: 000EB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000EB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000EB236
_wcslen.LIBCMT ref: 000EB332

Part of subcall function 000D05A7: GetStdHandle.KERNEL32(000000F6), ref: 000D05C6

_wcslen.LIBCMT ref: 000EB34B
_wcslen.LIBCMT ref: 000EB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000EB3B6
GetLastError.KERNEL32(00000000), ref: 000EB407
CloseHandle.KERNEL32(?), ref: 000EB439
CloseHandle.KERNEL32(00000000), ref: 000EB44A
CloseHandle.KERNEL32(00000000), ref: 000EB45C
CloseHandle.KERNEL32(00000000), ref: 000EB46E
CloseHandle.KERNEL32(?), ref: 000EB4E3

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 73b8a7856848d5bb5343878c2f176591b8dadc9e79ec540eee3f51028518f059
Instruction ID: fe510c94873d0e5b08e4f2f2d87c6e61935faebec5258eefd362340f90112c43
Opcode Fuzzy Hash: 73b8a7856848d5bb5343878c2f176591b8dadc9e79ec540eee3f51028518f059
Instruction Fuzzy Hash: F0F1BE716083409FD724EF25C891BAFBBE1AF85314F14855DF899AB2A2DB31EC44CB52

Function 0006D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0006D807
timeGetTime.WINMM ref: 0006DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0006DB28
TranslateMessage.USER32(?), ref: 0006DB7B
DispatchMessageW.USER32(?), ref: 0006DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0006DB9F
Sleep.KERNELBASE(0000000A), ref: 0006DBB1

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 5cee39b2a6c24dcc330d8dd56d76daf830b384ea2a7b7732ec46c3888a3a137a
Instruction ID: 2aff4dbb402eb4f464dec889ccb07b51f91aa032e7b505c1767939863464e60f
Opcode Fuzzy Hash: 5cee39b2a6c24dcc330d8dd56d76daf830b384ea2a7b7732ec46c3888a3a137a
Instruction Fuzzy Hash: D542CF30A08342EFE778DF24C895BEABBE2BF45314F14855EE45587292D774E884CB92

Function 00062CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00062D07
RegisterClassExW.USER32(00000030), ref: 00062D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00062D42
InitCommonControlsEx.COMCTL32(?), ref: 00062D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00062D6F
LoadIconW.USER32(000000A9), ref: 00062D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00062D94

Strings

TaskbarCreated, xrefs: 00062D37
0, xrefs: 00062CE9
+, xrefs: 00062CF0
AutoIt v3 GUI, xrefs: 00062D23

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 26dd48e92892e5d5951564e612277ee86ca950ce4d55417a764c2c44113b5183
Instruction ID: d8d36a910b84bf86fa48a31c86953110f8d03bdb1c6fe08f612a6cb12dbcd1ba
Opcode Fuzzy Hash: 26dd48e92892e5d5951564e612277ee86ca950ce4d55417a764c2c44113b5183
Instruction Fuzzy Hash: D521E5B190130CEFEB00DFA4E94ABEDBBB4FB08714F00411AF611A66A0D7B91584DF91

Function 000A065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000A039A: CreateFileW.KERNELBASE(00000000,00000000,?,000A0704,?,?,00000000,?,000A0704,00000000,0000000C), ref: 000A03B7

GetLastError.KERNEL32 ref: 000A076F
__dosmaperr.LIBCMT ref: 000A0776
GetFileType.KERNELBASE(00000000), ref: 000A0782
GetLastError.KERNEL32 ref: 000A078C
__dosmaperr.LIBCMT ref: 000A0795
CloseHandle.KERNEL32(00000000), ref: 000A07B5
CloseHandle.KERNEL32(?), ref: 000A08FF
GetLastError.KERNEL32 ref: 000A0931
__dosmaperr.LIBCMT ref: 000A0938

Strings

H, xrefs: 000A08BD

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a999af693105eb449328c735bb3cff253d57066c5432399703a9b1b6d299df9a
Instruction ID: b1469f564de403fbac038a1e9673a1aad26c6eb2645f121a277913fe7318ba78
Opcode Fuzzy Hash: a999af693105eb449328c735bb3cff253d57066c5432399703a9b1b6d299df9a
Instruction Fuzzy Hash: D9A12632A041098FDF19AFB8DC52BAE3BE4AB0B320F140159F855DB292DB359D12DB91

Function 0006344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00063A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00131418,?,00062E7F,?,?,?,00000000), ref: 00063A78

Part of subcall function 00063357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00063379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0006356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000A318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000A31CE
RegCloseKey.ADVAPI32(?), ref: 000A3210
_wcslen.LIBCMT ref: 000A3277
_wcslen.LIBCMT ref: 000A3286

Strings

\Include\, xrefs: 00063527
\, xrefs: 000A328C
Include, xrefs: 000A3184, 000A31C5
Software\AutoIt v3\AutoIt, xrefs: 00063560

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ca8baf01eadccf1e5c1f9d00553b791364214e4377a0ecec74bb4ff9156725e3
Instruction ID: 98b8aecdd0f28912988c2c8cf32993ed1a29b32057b10239b3f56ac054ff559c
Opcode Fuzzy Hash: ca8baf01eadccf1e5c1f9d00553b791364214e4377a0ecec74bb4ff9156725e3
Instruction Fuzzy Hash: C971D1715043059ED314FF65EC82DABBBE8FF89350F40042EF585975A1EB349A88CB62

Function 00062B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00062B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00062B9D
LoadIconW.USER32(00000063), ref: 00062BB3
LoadIconW.USER32(000000A4), ref: 00062BC5
LoadIconW.USER32(000000A2), ref: 00062BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00062BEF
RegisterClassExW.USER32(?), ref: 00062C40

Part of subcall function 00062CD4: GetSysColorBrush.USER32(0000000F), ref: 00062D07
Part of subcall function 00062CD4: RegisterClassExW.USER32(00000030), ref: 00062D31
Part of subcall function 00062CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00062D42
Part of subcall function 00062CD4: InitCommonControlsEx.COMCTL32(?), ref: 00062D5F
Part of subcall function 00062CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00062D6F
Part of subcall function 00062CD4: LoadIconW.USER32(000000A9), ref: 00062D85
Part of subcall function 00062CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00062D94

Strings

AutoIt v3, xrefs: 00062C2F
0, xrefs: 00062C0F
#, xrefs: 00062C16

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 00c8e786db7e40c4eeacb95750e5d3dfca4e5e5866fa754167cf913a3a21b574
Instruction ID: dfa93bb7c03da94197192668eccb04794364d0a6a92331c07058fc0cc59ceddb
Opcode Fuzzy Hash: 00c8e786db7e40c4eeacb95750e5d3dfca4e5e5866fa754167cf913a3a21b574
Instruction Fuzzy Hash: 89212C71E00318BBEB109FA6ED55AA97FB5FB48B60F00001AE504A6AA0D7B51584DF90

Function 00063170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0006316A,?,?), ref: 000631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0006316A,?,?), ref: 00063204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00063227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0006316A,?,?), ref: 00063232
CreatePopupMenu.USER32 ref: 00063246
PostQuitMessage.USER32(00000000), ref: 00063267

Strings

TaskbarCreated, xrefs: 0006322D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 65cf470fb71259cbaec174a8f4f9974164e0310a423ea35521b44d3285a0fb02
Instruction ID: 9186eeb6fc40990bc4019ef443752a2ce1e23e2339f38e3fb43af4861f302d8e
Opcode Fuzzy Hash: 65cf470fb71259cbaec174a8f4f9974164e0310a423ea35521b44d3285a0fb02
Instruction Fuzzy Hash: 24410E31244205B7EB246B78DD5EBBD3A9BEB07354F040125F901DA592C7759A80D7E1

Function 00061410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00061459
CoUninitialize.COMBASE ref: 000614F8
UnregisterHotKey.USER32(?), ref: 000616DD
DestroyWindow.USER32(?), ref: 000A24B9
FreeLibrary.KERNEL32(?), ref: 000A251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000A254B

Strings

close all, xrefs: 00061454

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 5d749a3853d2a8d63a502327c84d30e69d8c0bcf25edf30b26ccc72c3caf2512
Instruction ID: f66c2cc64fd26c922195a8aa7ef5f13403fe0541366eda1c6727592e66fe72f2
Opcode Fuzzy Hash: 5d749a3853d2a8d63a502327c84d30e69d8c0bcf25edf30b26ccc72c3caf2512
Instruction Fuzzy Hash: 41D19031B01212CFDB29EF69C599EA9F7A5BF05700F1841ADE44A6B252DB30ED12CF51

Function 00062C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00062C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00062CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00061CAD,?), ref: 00062CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00061CAD,?), ref: 00062CCF

Strings

AutoIt v3, xrefs: 00062C89, 00062C8E, 00062C8F
edit, xrefs: 00062CAC

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 64dcad21201eb9fde687a6105487188297ed0332c15d80f07968198b4336ebde
Instruction ID: c3093791d62daa382d200a98c3cf2b510e2ea513e52713be12125324284c5e0a
Opcode Fuzzy Hash: 64dcad21201eb9fde687a6105487188297ed0332c15d80f07968198b4336ebde
Instruction Fuzzy Hash: B1F0DA755443987AFB311717AC0DEB77EBDE7C6F60B00005AFA00A79A0C6651894EEB0

Function 00063B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00063B0F,SwapMouseButtons,00000004,?), ref: 00063B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00063B0F,SwapMouseButtons,00000004,?), ref: 00063B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00063B0F,SwapMouseButtons,00000004,?), ref: 00063B83

Strings

Control Panel\Mouse, xrefs: 00063B3E

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: b05fabd71d859aa951cb680d13713b3e391c7c7b7cb155e6812a97e49393a52f
Instruction ID: facf77da32edc9b9249a70a978f6cfbb62547afb99ea5f8960fb44b22de5098f
Opcode Fuzzy Hash: b05fabd71d859aa951cb680d13713b3e391c7c7b7cb155e6812a97e49393a52f
Instruction Fuzzy Hash: 66115AB1510208FFEB208FA4DC45EEEB7BDEF01740B105459AA01D7110D7319E40A7A0

Function 00063923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000A33A2

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00063A04

Strings

Line: , xrefs: 000A33EB

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: b9ccbfccb49b4b6c8d31b52c37253195ce72dd5429e4933d7e1399b6ca3871a5
Instruction ID: 39c5b8685173fc9f0df08ce3524bd6a2153c26af8d28062d0b84cb616675679a
Opcode Fuzzy Hash: b9ccbfccb49b4b6c8d31b52c37253195ce72dd5429e4933d7e1399b6ca3871a5
Instruction Fuzzy Hash: 4331C171408314AAD721EB20DC46BEFB7D9AB41720F04492EF59A935D2DB709B48CBD2

Function 0007FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00080668

Part of subcall function 000832A4: RaiseException.KERNEL32(?,?,?,0008068A,?,00131444,?,?,?,?,?,?,0008068A,00061129,00128738,00061129), ref: 00083304

__CxxThrowException@8.LIBVCRUNTIME ref: 00080685

Strings

Unknown exception, xrefs: 00080692

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a3d794a527b2f14a4f51b08f424f794caecab64aff030142b0ad4ee85cc7c2b7
Instruction ID: 6b71e6c7eb67c3451b7fd6ef7c359c1c2f40f075ee3f7f1bdd182cb9fc0c5319
Opcode Fuzzy Hash: a3d794a527b2f14a4f51b08f424f794caecab64aff030142b0ad4ee85cc7c2b7
Instruction Fuzzy Hash: 86F0C23490020EB7CB50B664E846CEE7BAD7F40710B608531B9A8965D2EF71EA29C794

Function 000610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00061BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00061BF4
Part of subcall function 00061BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00061BFC
Part of subcall function 00061BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00061C07
Part of subcall function 00061BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00061C12
Part of subcall function 00061BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00061C1A
Part of subcall function 00061BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00061C22

Part of subcall function 00061B4A: RegisterWindowMessageW.USER32(00000004,?,000612C4), ref: 00061BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0006136A
OleInitialize.OLE32 ref: 00061388
CloseHandle.KERNEL32(00000000,00000000), ref: 000A24AB

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 768e4a31dc1eac0dcc8b3c228a48265b27c8ffb6aafde5fec84263f5a8a30a38
Instruction ID: 203759ccfbbd13da43f9adf183a004184a734934d665c1dd9edac0de74d07f60
Opcode Fuzzy Hash: 768e4a31dc1eac0dcc8b3c228a48265b27c8ffb6aafde5fec84263f5a8a30a38
Instruction Fuzzy Hash: 4571EDB5905304AFD384EF79EE46AA53AE1FB8A340718862ED10AD7B62EB704481CF54

Function 000CC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00063923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00063A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000CC259
KillTimer.USER32(?,00000001,?,?), ref: 000CC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000CC270

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 701f304f2f26f93b7a40c00843704ebc71916aee0cd9cebf2145680f22dbc848
Instruction ID: 23e3efce230430fcef75b048e0d6df8a429014c87a8a0e99295bd885b4c5bb11
Opcode Fuzzy Hash: 701f304f2f26f93b7a40c00843704ebc71916aee0cd9cebf2145680f22dbc848
Instruction Fuzzy Hash: F5315E70904344AFFB729B64C895FEABBECAB16308F04049ED69EA7242C7745A85CB51

Function 000986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,000985CC,?,00128CC8,0000000C), ref: 00098704
GetLastError.KERNEL32(?,000985CC,?,00128CC8,0000000C), ref: 0009870E
__dosmaperr.LIBCMT ref: 00098739

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: ac9406c61b962bff76ac9560c55ab5645426ad65b5a7be09ccec0606a1d26898
Instruction ID: 4a80f3c467ffa39655b5c3d4291d042eb861f2d533b86f23b0626d00dcb6de20
Opcode Fuzzy Hash: ac9406c61b962bff76ac9560c55ab5645426ad65b5a7be09ccec0606a1d26898
Instruction Fuzzy Hash: 3C016B3360422027DEA16234AC45BBE67C94B83775F398119F9489F2D3DEA0CD81F390

Function 0006DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0006DB7B
DispatchMessageW.USER32(?), ref: 0006DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0006DB9F
Sleep.KERNELBASE(0000000A), ref: 0006DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 000B1CC9

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 77ede1520b9a9452f2ecebd8d19884bc5faee57dafe0f2c24219069b800f09b1
Instruction ID: 36ca5c3289024ba5a801170cfcedce14be31ed788de65df861ea59fbeb4c1dcd
Opcode Fuzzy Hash: 77ede1520b9a9452f2ecebd8d19884bc5faee57dafe0f2c24219069b800f09b1
Instruction Fuzzy Hash: 13F05E30A08344DBF770DBA0CD59FEA73EDEB44310F504919E61A834D0DB34A488DB15

Function 00071310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000717F6

Strings

CALL, xrefs: 000717C6

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 5d18dba7e1d0c7838af7917e1faa6651ba65fae5a8b225d01af359ec07bdadd9
Instruction ID: 559440a2d9929b49c1a85086f1ea81353d5bd752b2d3b0075b19ab2fc9c1a0ec
Opcode Fuzzy Hash: 5d18dba7e1d0c7838af7917e1faa6651ba65fae5a8b225d01af359ec07bdadd9
Instruction Fuzzy Hash: 5A227C70A08241DFC764DF18C490AAABBF1BF85314F14891DF49A8B3A2D73AE945CB56

Function 00062DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 000A2C8C

Part of subcall function 00063AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00063A97,?,?,00062E7F,?,?,?,00000000), ref: 00063AC2

Part of subcall function 00062DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00062DC4

Strings

X, xrefs: 000A2C5A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 59e107f04db63f82a8c8ed6f8b880d0451e9a8faa7ae91d545baea45543c542f
Instruction ID: d2d1961fe7e9d829bc3b9dfca98fd98f6b5784088bc6ddbe3638c2c3461f8256
Opcode Fuzzy Hash: 59e107f04db63f82a8c8ed6f8b880d0451e9a8faa7ae91d545baea45543c542f
Instruction Fuzzy Hash: 1E21A571A002989FDB41EF94D845BEE7BF9AF49314F008069E445B7282DBB45A89CFA1

Function 00063837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00063908

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 9d6483447db2899178b2806f2efcd120f0f4a33b67136f23faf2e6ed48fa2a2d
Instruction ID: a850b440bbe9a3619ccdf3ea13f50fc56265be07183dada6453968e0ce844a9e
Opcode Fuzzy Hash: 9d6483447db2899178b2806f2efcd120f0f4a33b67136f23faf2e6ed48fa2a2d
Instruction Fuzzy Hash: 1131A2715047019FE760DF64D885BDBBBE8FB49718F00092EF59A83641EB71AA44CB92

Function 0007F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0007F661

Part of subcall function 0006D730: GetInputState.USER32 ref: 0006D807

Sleep.KERNEL32(00000000), ref: 000BF2DE

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: dcaa1f8cd5ab394048343eba7e9dbc3e9e4ea736b9f41feec47ae76f62a1a311
Instruction ID: 2a303b877022a46fb21cd72f9a49bcee58df0a591eadd12a7adbbe3e4111582d
Opcode Fuzzy Hash: dcaa1f8cd5ab394048343eba7e9dbc3e9e4ea736b9f41feec47ae76f62a1a311
Instruction Fuzzy Hash: 0FF08C712446059FE310EF69D94AFAAB7E9FF45760F00402AE85AC7361EB70A840CB91

Function 00064ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00064E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00064EDD,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064E9C
Part of subcall function 00064E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00064EAE
Part of subcall function 00064E90: FreeLibrary.KERNEL32(00000000,?,?,00064EDD,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064EFD

Part of subcall function 00064E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000A3CDE,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064E62
Part of subcall function 00064E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00064E74
Part of subcall function 00064E59: FreeLibrary.KERNEL32(00000000,?,?,000A3CDE,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064E87

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: b07f83089a53db5d42dce000b1cc8c4ecb4a0a92e4bbd1324b80271706e89b9d
Instruction ID: 7e2c7104d10f636b6c809cf786075810377e912ab366331dfb342de72cbcc50e
Opcode Fuzzy Hash: b07f83089a53db5d42dce000b1cc8c4ecb4a0a92e4bbd1324b80271706e89b9d
Instruction Fuzzy Hash: EA110632600305EADF25FF60DD03FED77A6AF40711F20842EF542AA1C2EE719A059790

Function 00098402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00098440

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 4e505ee72b159acc426d3fc9a282f99128fb7e1a8fa113a6c2a2693e0b3fe4b6
Instruction ID: c3fdd3d615a688de8de4faa8f2975942c11c845e8a106ffd7a3eb728ecbd1728
Opcode Fuzzy Hash: 4e505ee72b159acc426d3fc9a282f99128fb7e1a8fa113a6c2a2693e0b3fe4b6
Instruction Fuzzy Hash: 7611487590410AAFCF05DF58E9409DE7BF8EF49300F108069F808AB312DA30DA11DBA4

Function 00095000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00094C7D: RtlAllocateHeap.NTDLL(00000008,00061129,00000000,?,00092E29,00000001,00000364,?,?,?,0008F2DE,00093863,00131444,?,0007FDF5,?), ref: 00094CBE

_free.LIBCMT ref: 0009506C

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 505fb49c84944b3ca02e3e85147483592bbbc1f6324d191a19fb6cd99786ff36
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: F3012B722047056BE7328E559C4599AFBE8FBC5370F25061DE19483280E6306805C7B4

Function 0008E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1b949e47a1256934ef6f2eb2c2759f40730878ede1dc5ead727e968d24012cfc
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: ADF02832511E14A6DB313A79DC05BDA3398BF623B4F140715F4E4932E3EB70D81297A5

Function 00094C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00061129,00000000,?,00092E29,00000001,00000364,?,?,?,0008F2DE,00093863,00131444,?,0007FDF5,?), ref: 00094CBE

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d5acbf5a5dfebe5dcb41e1bbe47c7eeb802145aa5fd3bb14624f6ba37b5a91e9
Instruction ID: f63b7097e6475988d687efacc1231d6c624aa573b9ac5ecf56c7d4f9ddd46491
Opcode Fuzzy Hash: d5acbf5a5dfebe5dcb41e1bbe47c7eeb802145aa5fd3bb14624f6ba37b5a91e9
Instruction Fuzzy Hash: 69F0E9716022356FDFE16F729C09F9A37C8BF417B1B144225B859E61C1CB30D802A6E0

Function 00093820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00131444,?,0007FDF5,?,?,0006A976,00000010,00131440,000613FC,?,000613C6,?,00061129), ref: 00093852

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e5f8ae9597de2272327417079a52e5b8446e6a3894b9d5e422a5341baef2f607
Instruction ID: b06ba5b5405872a4a0b7977363198cd00206147f123d79eec0666c5f7c8e171e
Opcode Fuzzy Hash: e5f8ae9597de2272327417079a52e5b8446e6a3894b9d5e422a5341baef2f607
Instruction Fuzzy Hash: 07E0ED3110032AA6EE313A779C05BEB36C9BF42BB0F050021BC8592892CF20DE01BAE0

Function 00064F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064F6D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: cc7c1e830f644f6148b5dea8f281928c323a03e2fe79fd59862f5c11e080ee6e
Instruction ID: b73462fc188383d305c63ebfce52c4080db66d5e765874ffea533c346e336824
Opcode Fuzzy Hash: cc7c1e830f644f6148b5dea8f281928c323a03e2fe79fd59862f5c11e080ee6e
Instruction Fuzzy Hash: C4F03071105751CFDB789F64D490826B7E6BF14319310897EE1DA82511C7319854DF10

Function 000F2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 000F2A66

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: c3683305ca35d9d31eb15a6b9cc3ba23b4e0a715b79c73ce83cbb2c4c1aa7aa7
Instruction ID: a11ffb1ef902827ece928a8794d5f22b92d468c70c7eab296834acc8a6c1352d
Opcode Fuzzy Hash: c3683305ca35d9d31eb15a6b9cc3ba23b4e0a715b79c73ce83cbb2c4c1aa7aa7
Instruction Fuzzy Hash: CCE04F3635411AABD764EB30EC809FE739CEB50395710453AAD16C2901DB349995E6A0

Function 000630F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0006314E

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: fa1c2e90fbb46df614cb5790dea78916c524f9a73677693b9585fc180f4e3074
Instruction ID: a90b5198aaaac1d134cd228874eec8a38b686e7ee9c0573348b1dca3a9c01b14
Opcode Fuzzy Hash: fa1c2e90fbb46df614cb5790dea78916c524f9a73677693b9585fc180f4e3074
Instruction Fuzzy Hash: 2EF03770914318AFE7529B24DC467D57BFCB701718F0000E5A58997592D77457C8CF51

Function 00062DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00062DC4

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e509b3a4515f5216612b65e11097ba3dd7fb572ad1a1280d90f7587f153ffb6b
Instruction ID: a8803c46e7fe62a0bb01417db7a932782e9e7c6b0e17723f5f1c56f71e72e9f3
Opcode Fuzzy Hash: e509b3a4515f5216612b65e11097ba3dd7fb572ad1a1280d90f7587f153ffb6b
Instruction Fuzzy Hash: 69E0CD766001245BD71096989C06FEA77DDDFC8790F044071FD09D7249DA64AD80C550

Function 00062B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00063837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00063908

Part of subcall function 0006D730: GetInputState.USER32 ref: 0006D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00062B6B

Part of subcall function 000630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0006314E

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 3eaf6d4c9d01df93dd4120a9f822c4c979603254338d579d5be2e6193cacc89d
Instruction ID: ccedb85e711ee1ace04ac89a79bec06a42ab98051284080785677515937225a9
Opcode Fuzzy Hash: 3eaf6d4c9d01df93dd4120a9f822c4c979603254338d579d5be2e6193cacc89d
Instruction Fuzzy Hash: 39E0CD2170424417D608BB75A9525FDF75BDBD1351F40153EF542531A3DF2486498392

Function 000A039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,000A0704,?,?,00000000,?,000A0704,00000000,0000000C), ref: 000A03B7

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: db8aea35c084bd4fbe067827b866f576b951183b09f6d03bff2e6210aa37ebea
Instruction ID: 41149611b5a462ec4d09a4f7c1b7ea0394c293ec2afd034d004ff8e0f0d9fdad
Opcode Fuzzy Hash: db8aea35c084bd4fbe067827b866f576b951183b09f6d03bff2e6210aa37ebea
Instruction Fuzzy Hash: CFD06C3204010DBBEF028F84DD06EDA3BAAFB48714F014000BE1856020C736E831EB90

Function 00061CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00061CBC

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 2004d03bda4d9131a6e20b64999c718ad4c087389b9c210d0e5032a9a4f78d05
Instruction ID: 318e2ea09bc83740f5bb52c8b4975e162261ad084d134a6916cac357dcdeb45a
Opcode Fuzzy Hash: 2004d03bda4d9131a6e20b64999c718ad4c087389b9c210d0e5032a9a4f78d05
Instruction Fuzzy Hash: 0BC09236380308EFF2149B80BD4BF607764B348F11F048001F609AADE3C3B228A4EA50

Non-executed Functions

Function 000F9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 000F961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000F965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 000F969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000F96C9
SendMessageW.USER32 ref: 000F96F2
GetKeyState.USER32(00000011), ref: 000F978B
GetKeyState.USER32(00000009), ref: 000F9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000F97AE
GetKeyState.USER32(00000010), ref: 000F97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000F97E9
SendMessageW.USER32 ref: 000F9810
SendMessageW.USER32(?,00001030,?,000F7E95), ref: 000F9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 000F992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 000F9941
SetCapture.USER32(?), ref: 000F994A
ClientToScreen.USER32(?,?), ref: 000F99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 000F99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000F99D6
ReleaseCapture.USER32 ref: 000F99E1
GetCursorPos.USER32(?), ref: 000F9A19
ScreenToClient.USER32(?,?), ref: 000F9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 000F9A80
SendMessageW.USER32 ref: 000F9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 000F9AEB
SendMessageW.USER32 ref: 000F9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000F9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 000F9B4A
GetCursorPos.USER32(?), ref: 000F9B68
ScreenToClient.USER32(?,?), ref: 000F9B75
GetParent.USER32(?), ref: 000F9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 000F9BFA
SendMessageW.USER32 ref: 000F9C2B
ClientToScreen.USER32(?,?), ref: 000F9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 000F9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 000F9CDE
SendMessageW.USER32 ref: 000F9D01
ClientToScreen.USER32(?,?), ref: 000F9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 000F9D82

Part of subcall function 00079944: GetWindowLongW.USER32(?,000000EB), ref: 00079952

GetWindowLongW.USER32(?,000000F0), ref: 000F9E05

Strings

@GUI_DRAGID, xrefs: 000F997D
F, xrefs: 000F9D07

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: ba70f2a6a3a69507cbcba5e84a69af82ebe2d17d54c8406509d14d65dab85022
Instruction ID: d38a0c9a65d1bdb40c61afc30472a818877fb91709e0942e2e99e68ed88117bc
Opcode Fuzzy Hash: ba70f2a6a3a69507cbcba5e84a69af82ebe2d17d54c8406509d14d65dab85022
Instruction Fuzzy Hash: DD427A34208208AFE724DF28CD44FBABBE5FF49714F140619F699C7AA1D731A894EB51

Function 000F4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 000F48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 000F4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 000F4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 000F494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 000F495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 000F497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 000F49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 000F49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 000F4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 000F4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 000F4A7E
IsMenu.USER32(?), ref: 000F4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000F4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000F4B20
GetWindowLongW.USER32(?,000000F0), ref: 000F4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 000F4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 000F4C82
wsprintfW.USER32 ref: 000F4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000F4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 000F4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000F4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000F4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 000F4D5A

Strings

%d/%02d/%02d, xrefs: 000F4CA8

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 220552187033e447137a5d829bfc622461a0ecbe6329f92a37e087bfac2797fa
Instruction ID: ef74fbad20ca12ff20a39aa433fca20e189288e4181368f37a77a2102ea4a79d
Opcode Fuzzy Hash: 220552187033e447137a5d829bfc622461a0ecbe6329f92a37e087bfac2797fa
Instruction Fuzzy Hash: 1C12C071600258ABFB248F28CC49FBF7BF8AF45710F104129FA19DA6A1DB789945EB50

Function 0007F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0007F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000BF474
IsIconic.USER32(00000000), ref: 000BF47D
ShowWindow.USER32(00000000,00000009), ref: 000BF48A
SetForegroundWindow.USER32(00000000), ref: 000BF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000BF4AA
GetCurrentThreadId.KERNEL32 ref: 000BF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000BF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 000BF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 000BF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 000BF4DE
SetForegroundWindow.USER32(00000000), ref: 000BF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 000BF4F6
keybd_event.USER32(00000012,00000000), ref: 000BF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 000BF50B
keybd_event.USER32(00000012,00000000), ref: 000BF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 000BF519
keybd_event.USER32(00000012,00000000), ref: 000BF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 000BF528
keybd_event.USER32(00000012,00000000), ref: 000BF52D
SetForegroundWindow.USER32(00000000), ref: 000BF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 000BF557

Strings

Shell_TrayWnd, xrefs: 000BF46F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 340f25de7cf9897a02492f2871ce0cf3218b23575583505e2850ec2f47d620c7
Instruction ID: 9ee355b21ce7ed8cffc86381280c1335b99eebc16788e15f94889c19dfc4467c
Opcode Fuzzy Hash: 340f25de7cf9897a02492f2871ce0cf3218b23575583505e2850ec2f47d620c7
Instruction Fuzzy Hash: 53313D71A4021DBAFB306BB55D4AFBF7EACEB44B50F100065FA01E61D1C7B55D50EAA0

Function 000C1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 000C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000C170D
Part of subcall function 000C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000C173A
Part of subcall function 000C16C3: GetLastError.KERNEL32 ref: 000C174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 000C1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 000C12A8
CloseHandle.KERNEL32(?), ref: 000C12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000C12D1
GetProcessWindowStation.USER32 ref: 000C12EA
SetProcessWindowStation.USER32(00000000), ref: 000C12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000C1310

Part of subcall function 000C10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000C11FC), ref: 000C10D4
Part of subcall function 000C10BF: CloseHandle.KERNEL32(?,?,000C11FC), ref: 000C10E9

Strings

, xrefs: 000C125A
default, xrefs: 000C130B
winsta0, xrefs: 000C12CC

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: d796fed78fcf6d30b5858878e37eb4f55cf2c5a47d1d0dc915cb3c03223a42b6
Instruction ID: 89b11667d1b2fa65a61795a9a043c0643597b8acdfcc6395d86bf94e1dbdbde1
Opcode Fuzzy Hash: d796fed78fcf6d30b5858878e37eb4f55cf2c5a47d1d0dc915cb3c03223a42b6
Instruction Fuzzy Hash: ED81CC71900209AFEF259FA4DD4AFEE7BB9EF06700F14416DFA10E61A2D7348A54DB60

Function 000C0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000C1114
Part of subcall function 000C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C1120
Part of subcall function 000C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C112F
Part of subcall function 000C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C1136
Part of subcall function 000C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000C0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000C0C00
GetLengthSid.ADVAPI32(?), ref: 000C0C17
GetAce.ADVAPI32(?,00000000,?), ref: 000C0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000C0C6D
GetLengthSid.ADVAPI32(?), ref: 000C0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 000C0C8C
HeapAlloc.KERNEL32(00000000), ref: 000C0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000C0CB4
CopySid.ADVAPI32(00000000), ref: 000C0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000C0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000C0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000C0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C0D45
HeapFree.KERNEL32(00000000), ref: 000C0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C0D55
HeapFree.KERNEL32(00000000), ref: 000C0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C0D65
HeapFree.KERNEL32(00000000), ref: 000C0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 000C0D78
HeapFree.KERNEL32(00000000), ref: 000C0D7F

Part of subcall function 000C1193: GetProcessHeap.KERNEL32(00000008,000C0BB1,?,00000000,?,000C0BB1,?), ref: 000C11A1
Part of subcall function 000C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000C0BB1,?), ref: 000C11A8
Part of subcall function 000C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000C0BB1,?), ref: 000C11B7

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 673c4ec6f8e7e4f2d032dd4f56ef4739613175efacd4bf017867e330144c0d4a
Instruction ID: 99cba2df4b57c87cd6dd0e2230a124d3ad24e2ddd71c597fd84b7e6d74fc3ba5
Opcode Fuzzy Hash: 673c4ec6f8e7e4f2d032dd4f56ef4739613175efacd4bf017867e330144c0d4a
Instruction Fuzzy Hash: EC716BB290020AEBEF10DFE4DD45FEEBBB8BF05700F044619E915A61A1DB75AA05CB60

Function 000DEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(000FCC08), ref: 000DEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 000DEB37
GetClipboardData.USER32(0000000D), ref: 000DEB43
CloseClipboard.USER32 ref: 000DEB4F
GlobalLock.KERNEL32(00000000), ref: 000DEB87
CloseClipboard.USER32 ref: 000DEB91
GlobalUnlock.KERNEL32(00000000), ref: 000DEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 000DEBC9
GetClipboardData.USER32(00000001), ref: 000DEBD1
GlobalLock.KERNEL32(00000000), ref: 000DEBE2
GlobalUnlock.KERNEL32(00000000), ref: 000DEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 000DEC38
GetClipboardData.USER32(0000000F), ref: 000DEC44
GlobalLock.KERNEL32(00000000), ref: 000DEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 000DEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000DEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000DECD2
GlobalUnlock.KERNEL32(00000000), ref: 000DECF3
CountClipboardFormats.USER32 ref: 000DED14
CloseClipboard.USER32 ref: 000DED59

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 21f4ec9a84719784238e78812f27ec2c7d100d0f8020ac97800a9d1bb2de7ee6
Instruction ID: 8dee16d1150cd2d1e4c11625e1d40333b6618658bb2ff12efd82f3ceeeddb601
Opcode Fuzzy Hash: 21f4ec9a84719784238e78812f27ec2c7d100d0f8020ac97800a9d1bb2de7ee6
Instruction Fuzzy Hash: 5B61BB34204346AFE310EF20C985F7A77E9AF84714F14451AF4469B7A2CB35E90ADBB2

Function 000D698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000D69BE
FindClose.KERNEL32(00000000), ref: 000D6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000D6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000D6A75

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 000D6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 000D6ADF

Strings

%02d, xrefs: 000D6C00, 000D6C0A, 000D6C5A, 000D6CAA, 000D6CFA, 000D6D4A
%03d, xrefs: 000D6DA2
%4d%02d%02d%02d%02d%02d, xrefs: 000D6B6A
%4d, xrefs: 000D6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 000D6B32

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 4cf2ff653543b6c95535f2210211d89cf6a9325e3ad36a639ce918e324c23e13
Instruction ID: 539d0a041c449ac8d9bda9a0bcaf52053f84a8586e3c6ccae19bc52b95554fc7
Opcode Fuzzy Hash: 4cf2ff653543b6c95535f2210211d89cf6a9325e3ad36a639ce918e324c23e13
Instruction Fuzzy Hash: 91D16271508340AFD310DBA4C982EBBB7EDAF88704F44491EF589C7292EB75DA44CB62

Function 000D9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 000D9663
GetFileAttributesW.KERNEL32(?), ref: 000D96A1
SetFileAttributesW.KERNEL32(?,?), ref: 000D96BB
FindNextFileW.KERNEL32(00000000,?), ref: 000D96D3
FindClose.KERNEL32(00000000), ref: 000D96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 000D96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 000D974A
SetCurrentDirectoryW.KERNEL32(00126B7C), ref: 000D9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 000D9772
FindClose.KERNEL32(00000000), ref: 000D977F
FindClose.KERNEL32(00000000), ref: 000D978F

Strings

*.*, xrefs: 000D96F5

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: d531a5883e50283951751d6124379b7b97f090b544ad3dfd7b026e44480964db
Instruction ID: 4cd30cd136b59770ebce24b4ba3522f9f0c5a9c022d6b21ceb1e2dfc009be65a
Opcode Fuzzy Hash: d531a5883e50283951751d6124379b7b97f090b544ad3dfd7b026e44480964db
Instruction Fuzzy Hash: 5531D03264431D6AEF54EFB4ED09EEE37ECAF09321F144156E904E22A0DB38DA44CB20

Function 000D979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 000D97BE
FindNextFileW.KERNEL32(00000000,?), ref: 000D9819
FindClose.KERNEL32(00000000), ref: 000D9824
FindFirstFileW.KERNEL32(*.*,?), ref: 000D9840
SetCurrentDirectoryW.KERNEL32(?), ref: 000D9890
SetCurrentDirectoryW.KERNEL32(00126B7C), ref: 000D98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 000D98B8
FindClose.KERNEL32(00000000), ref: 000D98C5
FindClose.KERNEL32(00000000), ref: 000D98D5

Part of subcall function 000CDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000CDB00

Strings

*.*, xrefs: 000D983B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 41bd78e9c49234e9bd703bf749ce31b09be315a8f48c3cbce9dfabb91a513bdb
Instruction ID: ac792e752ebf0ca934bd0f847e6560a1bcfab7d5500b2039ba941fd388f96144
Opcode Fuzzy Hash: 41bd78e9c49234e9bd703bf749ce31b09be315a8f48c3cbce9dfabb91a513bdb
Instruction Fuzzy Hash: 5B31D23254031D6AEF14EFA4EC49EEE77ACAF06721F144156E850A22E1DF34DA44EB70

Function 000EBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EB6AE,?,?), ref: 000EC9B5
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000EC9F1
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA68
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000EBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 000EBFA9
RegCloseKey.ADVAPI32(00000000), ref: 000EBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000EC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000EC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000EC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000EC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 000EC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000EC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 000EC382
RegCloseKey.ADVAPI32(00000000), ref: 000EC38F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 272397300c0fc45fb659235d59c2a39368ecd71f3de9d75b2505784237d0bba1
Instruction ID: 370e105da0ccc8f71510ff68171c63c4ffbadd8b80dadcd20989d79af8b35781
Opcode Fuzzy Hash: 272397300c0fc45fb659235d59c2a39368ecd71f3de9d75b2505784237d0bba1
Instruction Fuzzy Hash: F40280716042409FD714CF29C895E6ABBE5EF89308F18C49DF84ADB2A2DB31ED46CB51

Function 000D8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000D8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 000D8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000D8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000D8310
SetCurrentDirectoryW.KERNEL32(?), ref: 000D8324
SetCurrentDirectoryW.KERNEL32(?), ref: 000D8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000D838C
SetCurrentDirectoryW.KERNEL32(?), ref: 000D8395

Strings

*.*, xrefs: 000D839B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 40165f448e50cf6c847f6bfc450c46327205a6970be519006f39fe107c7d12f6
Instruction ID: ab4c40caf1ddd633a8dc3b0b18d23c99661469f58c52d8a551403b642814f9e4
Opcode Fuzzy Hash: 40165f448e50cf6c847f6bfc450c46327205a6970be519006f39fe107c7d12f6
Instruction Fuzzy Hash: B3616C725043459FD710EF60C845DAEB3E9FF89310F04892EF98987252EB35E945CBA2

Function 000CD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00063AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00063A97,?,?,00062E7F,?,?,?,00000000), ref: 00063AC2

Part of subcall function 000CE199: GetFileAttributesW.KERNEL32(?,000CCF95), ref: 000CE19A

FindFirstFileW.KERNEL32(?,?), ref: 000CD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 000CD1DD
MoveFileW.KERNEL32(?,?), ref: 000CD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 000CD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 000CD237

Part of subcall function 000CD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,000CD21C,?,?), ref: 000CD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 000CD253
FindClose.KERNEL32(00000000), ref: 000CD264

Strings

\*.*, xrefs: 000CD0CD, 000CD0D6, 000CD0EB

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: b16376f046aca2a0a0324629834053af444c291dedff94702adea2495c20bbb5
Instruction ID: 82dce3869e9da4197bb77667a94906c82dd17ca4062e988e35938d5195e6b1ca
Opcode Fuzzy Hash: b16376f046aca2a0a0324629834053af444c291dedff94702adea2495c20bbb5
Instruction Fuzzy Hash: 96614D3180110DAFDF15EBE0DA52EEDB7BAAF65300F64416AE40177192EB319F09DB61

Function 000DED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000DED91
EmptyClipboard.USER32 ref: 000DED97
GlobalAlloc.KERNEL32(00000002,?), ref: 000DEDAC
CloseClipboard.USER32 ref: 000DEEA3

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 317e5ad39c814e1a4bcc92136797f77842fa1df6ab5bd3e64b778a01980154bd
Instruction ID: 984f44f56aa1a5985bc2a534235f0423ed5098b6bb28aa52390430bc2361ffd4
Opcode Fuzzy Hash: 317e5ad39c814e1a4bcc92136797f77842fa1df6ab5bd3e64b778a01980154bd
Instruction Fuzzy Hash: 03417C35204651AFE720EF15D889F69BBE5EF44328F14809AE45A8FB62C775EC41CBA0

Function 000CE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 000C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000C170D
Part of subcall function 000C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000C173A
Part of subcall function 000C16C3: GetLastError.KERNEL32 ref: 000C174A

ExitWindowsEx.USER32(?,00000000), ref: 000CE932

Strings

, xrefs: 000CE920
@, xrefs: 000CE925
, xrefs: 000CE95C
SeShutdownPrivilege, xrefs: 000CE902

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 9c9116b46554bb843b6461d4c3a143e4be68285d14af18767141384c6b829c94
Instruction ID: dc663f1290ad2aa9510d50fb84a62b2bdfea06833dc60f6cfa8aa354e68e7c78
Opcode Fuzzy Hash: 9c9116b46554bb843b6461d4c3a143e4be68285d14af18767141384c6b829c94
Instruction Fuzzy Hash: B301D672610215ABFBA427B4DC86FFF729CE715750F154529F902E21D2DAB45C809294

Function 000E1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000E1276
WSAGetLastError.WSOCK32 ref: 000E1283
bind.WSOCK32(00000000,?,00000010), ref: 000E12BA
WSAGetLastError.WSOCK32 ref: 000E12C5
closesocket.WSOCK32(00000000), ref: 000E12F4
listen.WSOCK32(00000000,00000005), ref: 000E1303
WSAGetLastError.WSOCK32 ref: 000E130D
closesocket.WSOCK32(00000000), ref: 000E133C

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 397b7726241c24737325c37a6fa3da767b212d9c18eabc96c9cc5c27e4f063e8
Instruction ID: e3a723002625293c2daaeb27a932969abcf18137e99c8e498c9b57e195dcdda6
Opcode Fuzzy Hash: 397b7726241c24737325c37a6fa3da767b212d9c18eabc96c9cc5c27e4f063e8
Instruction Fuzzy Hash: 1441B1306001409FE710DF25C989BA9BBE6AF46318F18808CD9569F2A2C771ED82CBA1

Function 0009E4FF Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0009E645

Strings

1#IND, xrefs: 0009F83D
1#INF, xrefs: 0009F852
InitializeCriticalSectionEx, xrefs: 0009E608, 0009E699, 0009EA92
1#QNAN, xrefs: 0009F84B
1#SNAN, xrefs: 0009F844

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$InitializeCriticalSectionEx
API String ID: 4168288129-2709433496
Opcode ID: 16d7d01367fc4a2f52f1244774e61aa175d758f7d3ce0d28262ade52ae14471a
Instruction ID: 2986584407253bc8c9137bb5bb920c869429f8de2c2f63f220ed60daa6c79a1e
Opcode Fuzzy Hash: 16d7d01367fc4a2f52f1244774e61aa175d758f7d3ce0d28262ade52ae14471a
Instruction Fuzzy Hash: E9C23771E086298BDF65CE28DD407EAB7F5EB88305F1441EAD84DE7241E778AE819F40

Function 0009B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0009B9D4
_free.LIBCMT ref: 0009B9F8
_free.LIBCMT ref: 0009BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00103700), ref: 0009BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0013121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0009BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00131270,000000FF,?,0000003F,00000000,?), ref: 0009BC36
_free.LIBCMT ref: 0009BD4B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 9272277efbad96d7fdc85cb92ef78101e3b63160caf18bc9e37db8a09f514cff
Instruction ID: ea323843b196b7f2844e387ef5a2b56ce03ce2c0a240622f4c1b36bb996607dd
Opcode Fuzzy Hash: 9272277efbad96d7fdc85cb92ef78101e3b63160caf18bc9e37db8a09f514cff
Instruction Fuzzy Hash: 1AC11871904209AFDF20DF68AE51BEE7BE9EF41330F24415AE494D7292EB709E41E750

Function 000CD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00063AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00063A97,?,?,00062E7F,?,?,?,00000000), ref: 00063AC2

Part of subcall function 000CE199: GetFileAttributesW.KERNEL32(?,000CCF95), ref: 000CE19A

FindFirstFileW.KERNEL32(?,?), ref: 000CD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 000CD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 000CD481
FindClose.KERNEL32(00000000), ref: 000CD498
FindClose.KERNEL32(00000000), ref: 000CD4A1

Strings

\*.*, xrefs: 000CD3F2

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e03bab36ec86eb389272f412c86c8b52610d6a1ddd97ab8212d7e0804245bb38
Instruction ID: a81c27d024a06f23b58acd3110508e794df1a4fae87fbc10f778306a0c854bb1
Opcode Fuzzy Hash: e03bab36ec86eb389272f412c86c8b52610d6a1ddd97ab8212d7e0804245bb38
Instruction Fuzzy Hash: EB316D310083459FD204EF64D992DEFB7E9AF92314F444A2EF5D593192EB30AA09DB63

Function 000D648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000D64DC
CoInitialize.OLE32(00000000), ref: 000D6639
CoCreateInstance.OLE32(000FFCF8,00000000,00000001,000FFB68,?), ref: 000D6650
CoUninitialize.OLE32 ref: 000D68D4

Strings

.lnk, xrefs: 000D64BA, 000D6524, 000D65E0

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 3c5a9b33a3b0d53803a235a8a155fff08c534245c594234a5aa0eaf7148ddeb4
Instruction ID: 0b58ef0853a3ec2f490006a0e575fdb8a297629e7fcde381142124acf53c35ac
Opcode Fuzzy Hash: 3c5a9b33a3b0d53803a235a8a155fff08c534245c594234a5aa0eaf7148ddeb4
Instruction Fuzzy Hash: 22D14A71508301AFD314EF24C881EABB7E9FF94704F10496DF5958B292DB72E945CBA2

Function 000E22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 000E22E8

Part of subcall function 000DE4EC: GetWindowRect.USER32(?,?), ref: 000DE504

GetDesktopWindow.USER32 ref: 000E2312
GetWindowRect.USER32(00000000), ref: 000E2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 000E2355
GetCursorPos.USER32(?), ref: 000E2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000E23DF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: ad0961d3f34b5713daf31856e4561034ee2139533460d1851a696075293ee074
Instruction ID: 455dbcb345bfb56f3bf63ee202068376b15fee4e743e9f72ac274f1fa1f7e840
Opcode Fuzzy Hash: ad0961d3f34b5713daf31856e4561034ee2139533460d1851a696075293ee074
Instruction Fuzzy Hash: 0B319072504355AFE720DF65C845FABB7EAFB84714F000A19F585A7191DA34EA08CB92

Function 000D9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 000D9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 000D9C8B

Part of subcall function 000D3874: GetInputState.USER32 ref: 000D38CB
Part of subcall function 000D3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000D3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 000D9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 000D9C75

Strings

*.*, xrefs: 000D9B5D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: be2d274ebec4f140db655a4ead4e792ac91aae6d17c637a5e021313ebbac20c7
Instruction ID: 885f057a618bfb4e4fe57ee8581fe7a139dfc1b565f093aea77ff538643d8f5f
Opcode Fuzzy Hash: be2d274ebec4f140db655a4ead4e792ac91aae6d17c637a5e021313ebbac20c7
Instruction Fuzzy Hash: 47414F7194420AAFDF55DFA4C986AEEBBF9EF05310F244156E805A32A1EB309E44DF60

Function 00068060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0006843C
VUUU, xrefs: 000683FA
VUUU, xrefs: 000683E8
VUUU, xrefs: 000A5DF0
InitializeCriticalSectionEx, xrefs: 000A5D4D
ERCP, xrefs: 0006813C

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID: ERCP$InitializeCriticalSectionEx$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1173862840
Opcode ID: dcd8a0eb6d0d43ab74cb2a70fa40d0425cd9bf102215818377d3ec7aeb799e1d
Instruction ID: cf7df658f090f75b13ba696962110d55a1f25132d5f179c5b91eb7f797b19107
Opcode Fuzzy Hash: dcd8a0eb6d0d43ab74cb2a70fa40d0425cd9bf102215818377d3ec7aeb799e1d
Instruction Fuzzy Hash: E9A26171E0061ACBDF74CF98C8447AEB7B2BF55310F2482A9E855A7285EB719D81CF50

Function 0007997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00079A4E
GetSysColor.USER32(0000000F), ref: 00079B23
SetBkColor.GDI32(?,00000000), ref: 00079B36

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 9caaf4e777bbd3b5b8ce4430d31a9242b1fbb45e7a0936b28cf38014bae1b005
Instruction ID: 191e9b81f70052c5d4d2431726cb99c4c06d176ef15e3e9b360118a7fa4767c1
Opcode Fuzzy Hash: 9caaf4e777bbd3b5b8ce4430d31a9242b1fbb45e7a0936b28cf38014bae1b005
Instruction Fuzzy Hash: FAA12B70A09444BEE7789A3C8C49EFF36DDDB82300F158109F50AD6E96CA299D41D3BB

Function 000E1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000E304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000E307A
Part of subcall function 000E304E: _wcslen.LIBCMT ref: 000E309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 000E185D
WSAGetLastError.WSOCK32 ref: 000E1884
bind.WSOCK32(00000000,?,00000010), ref: 000E18DB
WSAGetLastError.WSOCK32 ref: 000E18E6
closesocket.WSOCK32(00000000), ref: 000E1915

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 59813e497c0ad983522a893126d38f5b19def7201e049a12c2b10909f8660482
Instruction ID: 213a71e7d58db44aa0c9aae58abc7057be08d6e5c41b7fabf9b7d6a82b534185
Opcode Fuzzy Hash: 59813e497c0ad983522a893126d38f5b19def7201e049a12c2b10909f8660482
Instruction Fuzzy Hash: E651C871A002109FE710AF24C986FBA77E59F44718F488198F95AAF3D3CB75AD41CB91

Function 000F1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 000F1CC0
IsWindowEnabled.USER32 ref: 000F1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 000F1CDB
IsIconic.USER32 ref: 000F1CE9
IsZoomed.USER32 ref: 000F1CF7

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a85f54b70f1ff91fa27c65030a8e1382a4a723d454d2a8f756ba4470cec530da
Instruction ID: d3b31f4764c08602803eeefee6f30489702852a455543d135f5815e07eedc183
Opcode Fuzzy Hash: a85f54b70f1ff91fa27c65030a8e1382a4a723d454d2a8f756ba4470cec530da
Instruction Fuzzy Hash: 7C2194317402189FE7208F1AD844FBA7BE5AF95314B198068E949CBB52C775EC42EBD0

Function 000CAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 000CAAAC
SetKeyboardState.USER32(00000080), ref: 000CAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 000CAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 000CAB88

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 435df1b7de0acc35fabe5d2d625a8f3b81f8030b408eff74d79d0fe01007bc33
Instruction ID: c1a5f2d7f5c8e115e8c2f04196adc9809e5aa5bbd1bb3f221e002f7ed717d930
Opcode Fuzzy Hash: 435df1b7de0acc35fabe5d2d625a8f3b81f8030b408eff74d79d0fe01007bc33
Instruction Fuzzy Hash: 2231E270B4020CAEFF358B648805FFE7BEAAB46324F04421EF181961E2D7798D81D762

Function 000DCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 000DCE89
GetLastError.KERNEL32(?,00000000), ref: 000DCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 000DCEFE

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 69bda93e15bfea02229f6083be0ce13588c0b0be4764b3533fe89d02e597b6af
Instruction ID: c2dd3ceca9166025fd0ccf89bc29d5a34474788f837f7f1b603e0bc452e64089
Opcode Fuzzy Hash: 69bda93e15bfea02229f6083be0ce13588c0b0be4764b3533fe89d02e597b6af
Instruction Fuzzy Hash: 40218CB15007069BFB709FA5C949FAA77FCEB40354F10442AE54692252E774EE04DB60

Function 000C8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 000C82AA

Strings

|, xrefs: 000C82DA
(, xrefs: 000C82F0

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: bbfed90ceb80b95a122e8064c4b43fc264021353fcf142f21e51fa0e51f162c3
Instruction ID: 181afc78e4bfc6222a5eaa5bbc88df52e923f098819cd6b841901af488bcdfb3
Opcode Fuzzy Hash: bbfed90ceb80b95a122e8064c4b43fc264021353fcf142f21e51fa0e51f162c3
Instruction Fuzzy Hash: 31322474A006059FCB28CF59C481EAAB7F0FF48710B15C56EE59ADB7A1EB70E981CB44

Function 000D5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000D5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 000D5D17
FindClose.KERNEL32(?), ref: 000D5D5F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 7817fad33a01a3e91f05fcd33f37f3513912ba8b4a679b67f54813d621504ee2
Instruction ID: 7cea5feb5a7634448883777b79065e5204ff43d0f28b4e293182a304c7337b1b
Opcode Fuzzy Hash: 7817fad33a01a3e91f05fcd33f37f3513912ba8b4a679b67f54813d621504ee2
Instruction Fuzzy Hash: 3E516B346047019FD724DF28C895E9AB7E5FF49314F14855EE99A8B3A2CB30E944CFA1

Function 00092622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0009271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00092724
UnhandledExceptionFilter.KERNEL32(?), ref: 00092731

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: bf2d2557ed2fcd3d47bec9bb611c596ebc1e921d927748d15550fb6647b812b4
Instruction ID: 96f47c2d2d7a1ef56f16663b0b2e59438169357262879e3030b6c2ec088e15b8
Opcode Fuzzy Hash: bf2d2557ed2fcd3d47bec9bb611c596ebc1e921d927748d15550fb6647b812b4
Instruction Fuzzy Hash: A931C47490121CABCB61EF64DD89BDCB7B8BF08310F5041EAE41CA6261E7349F858F45

Function 000D51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000D51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000D5238
SetErrorMode.KERNEL32(00000000), ref: 000D52A1

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 08b77644ea7269eaf4e9eee847253d0f5d1fb496e6cc631f9ae884441ca4a780
Instruction ID: 2c0c5c19635e3fc66ad5ea605cf1c9638ed4a1d8df34dda8d2f47579cc310f2f
Opcode Fuzzy Hash: 08b77644ea7269eaf4e9eee847253d0f5d1fb496e6cc631f9ae884441ca4a780
Instruction Fuzzy Hash: F8314F75A00618DFEB00DF54D884EADBBF5FF49314F048099E8459B352DB35E859CBA0

Function 000C16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0007FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00080668
Part of subcall function 0007FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00080685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000C170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000C173A
GetLastError.KERNEL32 ref: 000C174A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: cb69da091b157b843494662c40ae043a16862aa901dca822e901a2c86604a115
Instruction ID: 392ff9293fd5f55981b827c900ac0403a6de9e00004dc8d5198faae8cc609d9d
Opcode Fuzzy Hash: cb69da091b157b843494662c40ae043a16862aa901dca822e901a2c86604a115
Instruction Fuzzy Hash: 8511C1B2904309FFE7289F54DC86EBEB7F9EB04714B20852EE05653642EB74BC41CA24

Function 000CD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000CD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 000CD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000CD650

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 14b47b39a7964273eced40cb0e61d781e04b67ee5bfb12849fe81e1accbe89ce
Instruction ID: 4a58703c9d992e7930742f376963d6bb117c3ca7b6abdd80abcd8693ba2f3603
Opcode Fuzzy Hash: 14b47b39a7964273eced40cb0e61d781e04b67ee5bfb12849fe81e1accbe89ce
Instruction Fuzzy Hash: FD115E75E05228BFEB208F99DD45FAFBBBCEB45B50F108126F904E7290D6704A05DBA1

Function 000C1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000C168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000C16A1
FreeSid.ADVAPI32(?), ref: 000C16B1

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a1f9368ddfc40c84b23dff9e263fdfa6b2bc6722a9ec45554b579d1818e5ae76
Instruction ID: 621977cabbe41a6ae6a743e64bfd8e06a3dcb5bac600b66656b4dc3259cc6eb1
Opcode Fuzzy Hash: a1f9368ddfc40c84b23dff9e263fdfa6b2bc6722a9ec45554b579d1818e5ae76
Instruction Fuzzy Hash: 76F0F47195030DFBEB00DFE49D8AEAEBBBCEB08604F504965E501E2181E774AA44AA54

Function 0009C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0009C36C

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 39882acd983eeff2c5595b8a420bb10d95d4e7e383774a4fa7e504b005b4df47
Instruction ID: e6105664e3256ce732c17fe2fb74b02e49565e877424c77a728e49db53b151b3
Opcode Fuzzy Hash: 39882acd983eeff2c5595b8a420bb10d95d4e7e383774a4fa7e504b005b4df47
Instruction Fuzzy Hash: FC415972900219AFDF209FB9CC49EFB77B8EB84354F508269F905D7181E6709E81DB50

Function 000BD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 000BD28C

Strings

X64, xrefs: 000BD2A8

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 46f5805e800b5f5798ae0220ec6e94f143d3be294e85154961aabc655a7a8a3a
Instruction ID: 247d95a0f2b31d74838529e23838ef7141df8abfd1ce46155a456797dea9d65d
Opcode Fuzzy Hash: 46f5805e800b5f5798ae0220ec6e94f143d3be294e85154961aabc655a7a8a3a
Instruction Fuzzy Hash: 0BD0C9B480111DEADBA4CB90DC88DDDB37CBF14305F104156F106A2000DB3495499F10

Function 0008CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 29cde46933aa7bb624500aa062cd77bd7a2238d4d0ff4cc321f469628b447f35
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 12021D71E002199BEF14DFA9C880AADFBF1FF48314F25816AD959E7381D731AA41CB94

Function 000D68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000D6918
FindClose.KERNEL32(00000000), ref: 000D6961

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 85b6f78e63b1ffe3f4c0449e1519d0705a9a5759bfe9c8f475da7004715cc3c8
Instruction ID: 6952b18bf5f4cb01bd72a5fca13304366ae46aee1c0751aded6122a2c354c561
Opcode Fuzzy Hash: 85b6f78e63b1ffe3f4c0449e1519d0705a9a5759bfe9c8f475da7004715cc3c8
Instruction Fuzzy Hash: 8811B1316042009FD710CF69C485E26FBE5EF85328F04C6AAE4698F7A2C731EC05CB90

Function 000D37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,000E4891,?,?,00000035,?), ref: 000D37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,000E4891,?,?,00000035,?), ref: 000D37F4

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f44fa82065c751b92ddc9b946d0bffc2de274b6bcf09be0cb9598997540ef5d4
Instruction ID: 17b26037f7921bfdc6e0cad277ddca3bbbc7563481d30f83fda1c8ac9b0d3f31
Opcode Fuzzy Hash: f44fa82065c751b92ddc9b946d0bffc2de274b6bcf09be0cb9598997540ef5d4
Instruction Fuzzy Hash: 4EF0E5B06053292AF76017A68C4EFEB3AAEEFC5771F000176F509E2281D9609904C6B1

Function 000CB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 000CB25D
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 000CB270

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c1347a2e14c29b37c8fdb018026a14645fc3cafc3dff7228eb83a5a08b717281
Instruction ID: 51d3a6c3e72e01c07ba612f3fa4497118846e17a20c599713f5d0b0cf21a4cd0
Opcode Fuzzy Hash: c1347a2e14c29b37c8fdb018026a14645fc3cafc3dff7228eb83a5a08b717281
Instruction Fuzzy Hash: B7F01D7180424DABEB159FA0C806BBE7BB4FF04305F048409F955A5191C7799615DF94

Function 000C10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000C11FC), ref: 000C10D4
CloseHandle.KERNEL32(?,?,000C11FC), ref: 000C10E9

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f4594e69e444229cd117596774970ba01b32571d59f6ad967dd8e0dd5f5eda7e
Instruction ID: 593dc31bd57ffdf6db1a3b403dac96c224342a4d7a8cd519154333c38bd3f9c6
Opcode Fuzzy Hash: f4594e69e444229cd117596774970ba01b32571d59f6ad967dd8e0dd5f5eda7e
Instruction Fuzzy Hash: BFE04F32008601AEF7252B11FC06EB777E9EF04310B20C82DF4A5804B2DB666C90EB14

Function 0006CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 000B0C40

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 82cd4a299ae0cbbce319fc1c01698ce1b88b30ab7f88fcf2b5db4164e3dc93c6
Instruction ID: 3f882226f239e8ff16ed649c53ea3d0aa67c58cbbbcc5a12e8b0293427ee37fa
Opcode Fuzzy Hash: 82cd4a299ae0cbbce319fc1c01698ce1b88b30ab7f88fcf2b5db4164e3dc93c6
Instruction Fuzzy Hash: 89327B70900218DBEF24DF94C895EFEB7F6BF05304F148069E846AB292DB75AE45CB61

Function 0009676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00096766,?,?,00000008,?,?,0009FEFE,00000000), ref: 00096998

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1e90d12c447a882d350bbaf2b3ade43a984e3a90c647213ee80a08b0e2a4b081
Instruction ID: 9a9d07b6e440b7df855eb82a3a18f13cf62b2794ee6324c6e9e0cf184288ef68
Opcode Fuzzy Hash: 1e90d12c447a882d350bbaf2b3ade43a984e3a90c647213ee80a08b0e2a4b081
Instruction Fuzzy Hash: F8B14D31610608DFDB55CF28C48AB697BE0FF45364F258658E8DACF2A2C736E991DB40

Function 0007B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 000B851F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0777d823b97bbe710da9b2eea452c9ec8615bc9d671fea94d33cb119a65719d7
Instruction ID: 53cd8489faed839cd07c0389ad37100a7365783b5315ed3c78aa7d67fe29939d
Opcode Fuzzy Hash: 0777d823b97bbe710da9b2eea452c9ec8615bc9d671fea94d33cb119a65719d7
Instruction Fuzzy Hash: EC124E75D002299BDB64CF58C880BEEB7F5FF48710F1481AAE849EB255DB349E81CB94

Function 000DEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 000DEABD

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ae2bbd4a868d375b5e759bf15650146b9ab79637f45c5012a18f4325faab0d7f
Instruction ID: 560da8ee33b9763c731e3c641685ca5a716b34970dadd01c73b5c90a7818eecc
Opcode Fuzzy Hash: ae2bbd4a868d375b5e759bf15650146b9ab79637f45c5012a18f4325faab0d7f
Instruction Fuzzy Hash: 7BE01A352002059FD710EF59D805E9AB7E9AF98760F008426FC4ACB361DAB0A8408BA1

Function 000809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000803EE), ref: 000809DA

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eb0f5914a9866e346aea32dff7f9475537b0796591344ebbf20d714d33f6c369
Instruction ID: 820885584be73e34c6f71c34ba06810163f0d6d2bec6a9327cbebc0697d875b0
Opcode Fuzzy Hash: eb0f5914a9866e346aea32dff7f9475537b0796591344ebbf20d714d33f6c369
Instruction Fuzzy Hash:

Function 0008781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0008798B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 305dfaf2723ad298949231ffe37864b3f3699bae7b704d338be082f9b52eb745
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 0951876168C605DBDBB8B528889D7FE27C9BB52340F380519D8CEC728BDE11DE01D356

Function 00096DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c582be2d4a999d8662b23a53c39b312b7d9d07f9d73e8b0bd819b65980b51ee9
Instruction ID: 9402268de7ca0780ddd0e3e6b4973dab0d3e8b67ffef5a1324ab3768ee5cc1bd
Opcode Fuzzy Hash: c582be2d4a999d8662b23a53c39b312b7d9d07f9d73e8b0bd819b65980b51ee9
Instruction Fuzzy Hash: D0321022D69F014DDB639634C826336A289AFB73C5F15C727E81AB5DAAEB68C4C35100

Function 0007CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca318286f86f82065b77761c74078de282c6765a67eafd54a5583afeb16d4c13
Instruction ID: 3859228072f3359a5516a06c8353becd8918ec99f967fd313663d43e056e6a44
Opcode Fuzzy Hash: ca318286f86f82065b77761c74078de282c6765a67eafd54a5583afeb16d4c13
Instruction Fuzzy Hash: B3321131A041498BFF79CE28C494EFD7BE1EB45304F28816AD89EDB291D638DD81DB15

Function 00067920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769e41bca8c105bff1c00c2a2ba827dd5ec396f9e175acdba3f12c62b2627758
Instruction ID: ec06d49e47680fea428538503241e32c484b08e6518d46523af9ef00024c9b30
Opcode Fuzzy Hash: 769e41bca8c105bff1c00c2a2ba827dd5ec396f9e175acdba3f12c62b2627758
Instruction Fuzzy Hash: 7C22A170A0460ADFDF14CFA4C841AEEB7F6FF45304F244529E816A7291EB369E55CB50

Function 000691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259dcd8cabc69518054a63c16dd290faeb3f8a2e1f0b952b53e3e4d94a9d6dd4
Instruction ID: 054a4f28060d2985f5074859b563fad4ceeec9de643c0e792b6f2eac6a98f4fe
Opcode Fuzzy Hash: 259dcd8cabc69518054a63c16dd290faeb3f8a2e1f0b952b53e3e4d94a9d6dd4
Instruction Fuzzy Hash: BB02E8B0E0010AEFDB14DF94D881AAEB7F5FF55300F108169E816DB291EB35AE61CB95

Function 00099EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4056ba1a68b9c51f2e433a53ec73e2938a6040da9d6c247d1aa515c7923be8c
Instruction ID: 4bbe7dcaabb6b0cf27fa07a2616f5cb87c2143f285df7722e658897148313b0d
Opcode Fuzzy Hash: f4056ba1a68b9c51f2e433a53ec73e2938a6040da9d6c247d1aa515c7923be8c
Instruction Fuzzy Hash: C1B1F020E2AF404DC62396398875336B65CBFBB6D5F91D31BFC6678D62EB2286C34140

Function 00081C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: dfa3212a2a5432e8178b25849d03045fd911d3dfab3c2fbd135814e347e57295
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 539186722081A34ADB69563E95341BEFFE97F923A131A079DD4F2CA1C1FE20C956D720

Function 00081F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 57534819237dcf254b361e37f91e1739f07e1aa544ca9e205f13c6d454a8e1a9
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: E59178722090A34EDBA95239857807EFFE16F923A131A07ADD5F2CB1C6EE24C555DB20

Function 000819B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: b1edf00af526a6bb612c5001ab0cc7d1c3e30f2783abb7f9008a7278793b5c36
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3791A6722090E34ADBAD527A85740BDFFE96F923A131A079ED4F2CA1C1FE24C556D720

Function 00087A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00c14408736b1724a3ccb21657218e844f0f8e774a424725ff0071b2c7f8ba6
Instruction ID: 316e4bcc2e1583f3181bb749df70f70dc502ede74f9526dd490bde8cc968f894
Opcode Fuzzy Hash: d00c14408736b1724a3ccb21657218e844f0f8e774a424725ff0071b2c7f8ba6
Instruction Fuzzy Hash: A961692120870956DAB8B9288895BFE73D6FF91700F74491DE9CEDB28AD711DE42C316

Function 00087CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15726f61a10e7e3db59f0da2d38642a71ce9ec85542465b6499422a5b3df0322
Instruction ID: f7f9cd2b01816eaac0dcd986fe490867b3bdb18b6b0c744d7f561ee3d0e3312d
Opcode Fuzzy Hash: 15726f61a10e7e3db59f0da2d38642a71ce9ec85542465b6499422a5b3df0322
Instruction Fuzzy Hash: 92618C3120CB0992DEB879284851BFF23E8BF56700F704859E8CFDB28AEA12DD428355

Function 00081706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: d21fc3ae9428d45de108d49784a4ec31582347d97f341a84f02b5a91c891b7d2
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 5781733260C0A349DBAD563A85354BEFFE57F923A131A079DD4F2CA1C1EE248556E720

Function 000B3CD5 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ad70260ad73ee144a3072c56cfc10cf03760bcbbc080d017d06677ef767822
Instruction ID: 38f5b7d8a2dd187647045011facc20ddeda3ca4b7e84aad01fa691d6c991153a
Opcode Fuzzy Hash: 35ad70260ad73ee144a3072c56cfc10cf03760bcbbc080d017d06677ef767822
Instruction Fuzzy Hash: 52719F79409690EFDB26CF24D4E1A91BFE1FF1732072948EEC4864B196D275A94ACF02

Function 000D2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187c48b708d69bf16c9edc36c9298f675d53c76baf12f458ccaf62de94ea82a6
Instruction ID: 445698f5ce4bb1775b7de4aa40201f9dbcf8530b220633455dc323dac4a5426b
Opcode Fuzzy Hash: 187c48b708d69bf16c9edc36c9298f675d53c76baf12f458ccaf62de94ea82a6
Instruction Fuzzy Hash: 0C21E7322206118BD728CF79C82367E77E5AB64320F14862EE4A7C37D1DE35A944CB90

Function 000E2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000E2B30
DeleteObject.GDI32(00000000), ref: 000E2B43
DestroyWindow.USER32 ref: 000E2B52
GetDesktopWindow.USER32 ref: 000E2B6D
GetWindowRect.USER32(00000000), ref: 000E2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 000E2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 000E2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2CF8
GetClientRect.USER32(00000000,?), ref: 000E2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000E2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2D80
GlobalLock.KERNEL32(00000000), ref: 000E2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2D98
GlobalUnlock.KERNEL32(00000000), ref: 000E2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2DA8
GlobalFree.KERNEL32(00000000), ref: 000E2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,000FFC38,00000000), ref: 000E2DDB
GlobalFree.KERNEL32(00000000), ref: 000E2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 000E2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 000E2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E303F

Strings

AutoIt v3, xrefs: 000E2CF2
, xrefs: 000E2FC5
DISPLAY, xrefs: 000E2EA2
static, xrefs: 000E2D3A, 000E2E91

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 101c91f8870e8657f3bc178f72c512a39f2ddf3c7ab2309dbd8756557cf83458
Instruction ID: d7628dbb8f86f7cec6f975fa7825f25f05d80437ceafb1fcc17d0d18b4a28b66
Opcode Fuzzy Hash: 101c91f8870e8657f3bc178f72c512a39f2ddf3c7ab2309dbd8756557cf83458
Instruction Fuzzy Hash: 1F028C71900209AFEB14DF64CD89EAE7BB9FF49310F108158F915AB2A1DB74AD41CB60

Function 000F70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 000F712F
GetSysColorBrush.USER32(0000000F), ref: 000F7160
GetSysColor.USER32(0000000F), ref: 000F716C
SetBkColor.GDI32(?,000000FF), ref: 000F7186
SelectObject.GDI32(?,?), ref: 000F7195
InflateRect.USER32(?,000000FF,000000FF), ref: 000F71C0
GetSysColor.USER32(00000010), ref: 000F71C8
CreateSolidBrush.GDI32(00000000), ref: 000F71CF
FrameRect.USER32(?,?,00000000), ref: 000F71DE
DeleteObject.GDI32(00000000), ref: 000F71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 000F7230
FillRect.USER32(?,?,?), ref: 000F7262
GetWindowLongW.USER32(?,000000F0), ref: 000F7284

Part of subcall function 000F73E8: GetSysColor.USER32(00000012), ref: 000F7421
Part of subcall function 000F73E8: SetTextColor.GDI32(?,?), ref: 000F7425
Part of subcall function 000F73E8: GetSysColorBrush.USER32(0000000F), ref: 000F743B
Part of subcall function 000F73E8: GetSysColor.USER32(0000000F), ref: 000F7446
Part of subcall function 000F73E8: GetSysColor.USER32(00000011), ref: 000F7463
Part of subcall function 000F73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000F7471
Part of subcall function 000F73E8: SelectObject.GDI32(?,00000000), ref: 000F7482
Part of subcall function 000F73E8: SetBkColor.GDI32(?,00000000), ref: 000F748B
Part of subcall function 000F73E8: SelectObject.GDI32(?,?), ref: 000F7498
Part of subcall function 000F73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 000F74B7
Part of subcall function 000F73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000F74CE
Part of subcall function 000F73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 000F74DB

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: d58a0d9a3988050ce09469f70125ff4dfc867df2c32145fdbbd9b4032aa4a797
Instruction ID: 22519edc74d48086d000fa10338f6325f6e3965e6b4ecdafe221f67775d395eb
Opcode Fuzzy Hash: d58a0d9a3988050ce09469f70125ff4dfc867df2c32145fdbbd9b4032aa4a797
Instruction Fuzzy Hash: 80A1C172008309BFE7509F64CD49EBB7BE9FB49320F100A18FA66964E1D734E944EB52

Function 00078D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00078E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 000B6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000B6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000B6F43

Part of subcall function 00078F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00078BE8,?,00000000,?,?,?,?,00078BBA,00000000,?), ref: 00078FC5

SendMessageW.USER32(?,00001053), ref: 000B6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000B6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 000B6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 000B6FB7

Strings

0, xrefs: 000B6DCF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: efae4191fa6c25ae6ab768c8470b8ebc1944a56afd1919ccfb67c9b2bddfc828
Instruction ID: 98c5b557caf20749a0680aeb93e6defd5e2dfdcb041355156c2207539bfb7539
Opcode Fuzzy Hash: efae4191fa6c25ae6ab768c8470b8ebc1944a56afd1919ccfb67c9b2bddfc828
Instruction Fuzzy Hash: 9512AD30A04205EFDB65CF14C958BFABBE5FB44300F148469E499CB662CB3AEC92DB55

Function 000E2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 000E273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 000E286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 000E28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 000E28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 000E2900
GetClientRect.USER32(00000000,?), ref: 000E290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 000E2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000E2964
GetStockObject.GDI32(00000011), ref: 000E2974
SelectObject.GDI32(00000000,00000000), ref: 000E2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 000E2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000E2991
DeleteDC.GDI32(00000000), ref: 000E299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 000E29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 000E29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 000E2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 000E2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 000E2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 000E2A77
GetStockObject.GDI32(00000011), ref: 000E2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 000E2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 000E2A97

Strings

AutoIt v3, xrefs: 000E28F8
msctls_progress32, xrefs: 000E2A13
DISPLAY, xrefs: 000E295A
static, xrefs: 000E294F, 000E2A71

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 65e61cb6849c2f75301c069a6164506a85bf62d3dd1e03fac5d855bb8323dc99
Instruction ID: 20209462d3ceabded246566417186b92deb497a154142e7341d62e0d424bedd1
Opcode Fuzzy Hash: 65e61cb6849c2f75301c069a6164506a85bf62d3dd1e03fac5d855bb8323dc99
Instruction Fuzzy Hash: CEB14CB1A00219BFEB14DFA9DD4AFAE7BA9FB08710F004115F915E7691DB74AD40CBA0

Function 000D4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000D4AED
GetDriveTypeW.KERNEL32(?,000FCB68,?,\\.\,000FCC08), ref: 000D4BCA
SetErrorMode.KERNEL32(00000000,000FCB68,?,\\.\,000FCC08), ref: 000D4D36

Strings

RAMDisk, xrefs: 000D4BF4
\\.\, xrefs: 000D4B3F
SAS, xrefs: 000D4CC9
SSD, xrefs: 000D4C4A
USB, xrefs: 000D4CB4
Fixed, xrefs: 000D4C09
Fibre, xrefs: 000D4CAD
SSA, xrefs: 000D4CA6
SATA, xrefs: 000D4CD0
ATAPI, xrefs: 000D4C91
CDROM, xrefs: 000D4BFB
SCSI, xrefs: 000D4C8A
1394, xrefs: 000D4C9F
PhysicalDrive, xrefs: 000D4B76
Removable, xrefs: 000D4C10, 000D4C15
iSCSI, xrefs: 000D4CC2
RAID, xrefs: 000D4CBB
ATA, xrefs: 000D4C98
MMC, xrefs: 000D4CDE
Virtual, xrefs: 000D4CE5
Network, xrefs: 000D4C02
FileBackedVirtual, xrefs: 000D4CEC
Unknown, xrefs: 000D4BED, 000D4C83

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: baa598966388443c64fff41edb959f730c35a92c32a2e3ba559d1818bfccabe4
Instruction ID: 2f0026448c6ac44b1640b44569a20bea6a04d4c3eab69ceae9db3d40612606ef
Opcode Fuzzy Hash: baa598966388443c64fff41edb959f730c35a92c32a2e3ba559d1818bfccabe4
Instruction Fuzzy Hash: 6A61EF30616309DBCB94DF64DA82DBC77B2AF04304B209017F806AB792DB36ED55DB61

Function 000F73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 000F7421
SetTextColor.GDI32(?,?), ref: 000F7425
GetSysColorBrush.USER32(0000000F), ref: 000F743B
GetSysColor.USER32(0000000F), ref: 000F7446
CreateSolidBrush.GDI32(?), ref: 000F744B
GetSysColor.USER32(00000011), ref: 000F7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 000F7471
SelectObject.GDI32(?,00000000), ref: 000F7482
SetBkColor.GDI32(?,00000000), ref: 000F748B
SelectObject.GDI32(?,?), ref: 000F7498
InflateRect.USER32(?,000000FF,000000FF), ref: 000F74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000F74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 000F74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000F752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000F7554
InflateRect.USER32(?,000000FD,000000FD), ref: 000F7572
DrawFocusRect.USER32(?,?), ref: 000F757D
GetSysColor.USER32(00000011), ref: 000F758E
SetTextColor.GDI32(?,00000000), ref: 000F7596
DrawTextW.USER32(?,000F70F5,000000FF,?,00000000), ref: 000F75A8
SelectObject.GDI32(?,?), ref: 000F75BF
DeleteObject.GDI32(?), ref: 000F75CA
SelectObject.GDI32(?,?), ref: 000F75D0
DeleteObject.GDI32(?), ref: 000F75D5
SetTextColor.GDI32(?,?), ref: 000F75DB
SetBkColor.GDI32(?,?), ref: 000F75E5

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 12f71d3736bf88473aa7615a968dc9394236ef30c244cb28cc2f41b5de264f0e
Instruction ID: cfc5bdc1b14fb54e51f7cea196144c962becd633dc748c4ae6e5d4f4a6487ec0
Opcode Fuzzy Hash: 12f71d3736bf88473aa7615a968dc9394236ef30c244cb28cc2f41b5de264f0e
Instruction Fuzzy Hash: D3618E7290421CAFEB009FA4DC49EEE7FB9FB09720F104111FA15AB6A1D774A940EB90

Function 000F0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000F1128
GetDesktopWindow.USER32 ref: 000F113D
GetWindowRect.USER32(00000000), ref: 000F1144
GetWindowLongW.USER32(?,000000F0), ref: 000F1199
DestroyWindow.USER32(?), ref: 000F11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000F11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000F120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000F121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 000F1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 000F1245
IsWindowVisible.USER32(00000000), ref: 000F12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 000F12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 000F12D0
GetWindowRect.USER32(00000000,?), ref: 000F12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 000F130E
GetMonitorInfoW.USER32(00000000,?), ref: 000F1328
CopyRect.USER32(?,?), ref: 000F133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 000F13AA

Strings

(, xrefs: 000F131B
tooltips_class32, xrefs: 000F11E6
0, xrefs: 000F10D3

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 964ec4fe5bb170a9dbaed4eaa9f283f73e5da6277a425fc338c397b0f69fa52e
Instruction ID: 673479bdb99ad518948c8442292b5dd0b3e1e01b2137d91ce90b1dd119cc9dac
Opcode Fuzzy Hash: 964ec4fe5bb170a9dbaed4eaa9f283f73e5da6277a425fc338c397b0f69fa52e
Instruction Fuzzy Hash: 9CB1BE71608345EFE740DF64C985BAEBBE5FF84310F008918FA999B6A2C770E844DB91

Function 000F0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000F02E5
_wcslen.LIBCMT ref: 000F031F
_wcslen.LIBCMT ref: 000F0389
_wcslen.LIBCMT ref: 000F03F1
_wcslen.LIBCMT ref: 000F0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 000F04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000F0504

Part of subcall function 0007F9F2: _wcslen.LIBCMT ref: 0007F9FD

Part of subcall function 000C223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000C2258
Part of subcall function 000C223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000C228A

Strings

GETTEXT, xrefs: 000F03EC, 000F0407
SELECT, xrefs: 000F0548
ISSELECTED, xrefs: 000F04DD
SELECTALL, xrefs: 000F0515
FINDITEM, xrefs: 000F0627
SELECTINVERT, xrefs: 000F057E
GETSELECTEDCOUNT, xrefs: 000F0470, 000F048B
DESELECT, xrefs: 000F059C
GETITEMCOUNT, xrefs: 000F0316, 000F0337
SELECTCLEAR, xrefs: 000F052D
GETSUBITEMCOUNT, xrefs: 000F0384, 000F039F
VIEWCHANGE, xrefs: 000F0675
GETSELECTED, xrefs: 000F05E1

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 17711198222a6506370710324516bac1bc67d67ee2dbf6e59faec5dae4e6a59b
Instruction ID: 7e48068109e82e37c87bd5f816efe4f254147b0821cde1903a4d2f9412ac1551
Opcode Fuzzy Hash: 17711198222a6506370710324516bac1bc67d67ee2dbf6e59faec5dae4e6a59b
Instruction Fuzzy Hash: 76E1DF312086058FC724DF24C5509BFB3E6BF88714B14896CF99AABAA3DB30ED45DB41

Function 00078891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00078968
GetSystemMetrics.USER32(00000007), ref: 00078970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0007899B
GetSystemMetrics.USER32(00000008), ref: 000789A3
GetSystemMetrics.USER32(00000004), ref: 000789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00078A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00078A3C
GetClientRect.USER32(00000000,000000FF), ref: 00078A5A
GetStockObject.GDI32(00000011), ref: 00078A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00078A81

Part of subcall function 0007912D: GetCursorPos.USER32(?), ref: 00079141
Part of subcall function 0007912D: ScreenToClient.USER32(00000000,?), ref: 0007915E
Part of subcall function 0007912D: GetAsyncKeyState.USER32(00000001), ref: 00079183
Part of subcall function 0007912D: GetAsyncKeyState.USER32(00000002), ref: 0007919D

SetTimer.USER32(00000000,00000000,00000028,000790FC), ref: 00078AA8

Strings

AutoIt v3 GUI, xrefs: 00078A20

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: cf253b8579484156345cae54b52381886448e879cdffac67c4704cd9cf9d7193
Instruction ID: d14e83c08e62703599884cf038dde5ef0c7b773403b37ec260adcdfb4a266524
Opcode Fuzzy Hash: cf253b8579484156345cae54b52381886448e879cdffac67c4704cd9cf9d7193
Instruction Fuzzy Hash: E7B16E71A40209AFEB14DF68CD49BEE3BB5FB48314F108229FA15A7290DB38E841CF55

Function 000C0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000C1114
Part of subcall function 000C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C1120
Part of subcall function 000C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C112F
Part of subcall function 000C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C1136
Part of subcall function 000C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000C0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000C0E29
GetLengthSid.ADVAPI32(?), ref: 000C0E40
GetAce.ADVAPI32(?,00000000,?), ref: 000C0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000C0E96
GetLengthSid.ADVAPI32(?), ref: 000C0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 000C0EB5
HeapAlloc.KERNEL32(00000000), ref: 000C0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000C0EDD
CopySid.ADVAPI32(00000000), ref: 000C0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000C0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000C0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000C0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C0F6E
HeapFree.KERNEL32(00000000), ref: 000C0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C0F7E
HeapFree.KERNEL32(00000000), ref: 000C0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C0F8E
HeapFree.KERNEL32(00000000), ref: 000C0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 000C0FA1
HeapFree.KERNEL32(00000000), ref: 000C0FA8

Part of subcall function 000C1193: GetProcessHeap.KERNEL32(00000008,000C0BB1,?,00000000,?,000C0BB1,?), ref: 000C11A1
Part of subcall function 000C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000C0BB1,?), ref: 000C11A8
Part of subcall function 000C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000C0BB1,?), ref: 000C11B7

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8fe13c1fc9392e31292a5ab33a1e538cab0e8c2c31361faf739a33fcf3e06fec
Instruction ID: ec1df0fdc3102c65c7858c2ca3311fdc45f154e196fe6c1c7e39141020caea43
Opcode Fuzzy Hash: 8fe13c1fc9392e31292a5ab33a1e538cab0e8c2c31361faf739a33fcf3e06fec
Instruction Fuzzy Hash: D4716D7290020AEBEF20DFA4DD49FEEBBB8BF05300F044129F919E6591D7359A56DB60

Function 000EC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000EC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,000FCC08,00000000,?,00000000,?,?), ref: 000EC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 000EC5A4
_wcslen.LIBCMT ref: 000EC5F4
_wcslen.LIBCMT ref: 000EC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 000EC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 000EC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 000EC84D
RegCloseKey.ADVAPI32(?), ref: 000EC881
RegCloseKey.ADVAPI32(00000000), ref: 000EC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 000EC960

Strings

REG_BINARY, xrefs: 000EC913
REG_MULTI_SZ, xrefs: 000EC6F5
REG_QWORD, xrefs: 000EC8C3
REG_DWORD, xrefs: 000EC804
REG_SZ, xrefs: 000EC644
REG_EXPAND_SZ, xrefs: 000EC5CD

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 9727f28ae64cd3fe49269fde74b357b7eeabc2da7400c0c5f16e56e5cef0add1
Instruction ID: 285c72c3aaedce2642d1fcb30028d61677138ba3f1c42547965f36b330e27088
Opcode Fuzzy Hash: 9727f28ae64cd3fe49269fde74b357b7eeabc2da7400c0c5f16e56e5cef0add1
Instruction Fuzzy Hash: F91267352046419FE714DF15C981E6AB7E5EF88314F14889DF88AAB3A2DB31ED42CB81

Function 000F091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000F09C6
_wcslen.LIBCMT ref: 000F0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000F0A54
_wcslen.LIBCMT ref: 000F0A8A
_wcslen.LIBCMT ref: 000F0B06
_wcslen.LIBCMT ref: 000F0B81

Part of subcall function 0007F9F2: _wcslen.LIBCMT ref: 0007F9FD

Part of subcall function 000C2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000C2BFA

Strings

GETITEMCOUNT, xrefs: 000F0C1E
GETTEXT, xrefs: 000F0C97
SELECT, xrefs: 000F0D11
ISCHECKED, xrefs: 000F0CE1
GETTOTALCOUNT, xrefs: 000F09F2, 000F0A17
EXPAND, xrefs: 000F0BF8
CHECK, xrefs: 000F0A85, 000F0AA0
EXISTS, xrefs: 000F0B7C, 000F0B97
COLLAPSE, xrefs: 000F0B01, 000F0B1C
GETSELECTED, xrefs: 000F0C4E
UNCHECK, xrefs: 000F0D3E

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: eb127003bb8d780797e6a11bc524d802bb4d5ba05b2d44351ce48fc4f2dcc8ba
Instruction ID: 1d854d7373cfd91c3df370097b322d549512f45db5f04adc4b280bd5240a5d0f
Opcode Fuzzy Hash: eb127003bb8d780797e6a11bc524d802bb4d5ba05b2d44351ce48fc4f2dcc8ba
Instruction Fuzzy Hash: F4E199312087058FC724DF24C45097AB7E2BF98318B54895DF99AABBA3D730ED45DB82

Function 000EC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EB6AE,?,?), ref: 000EC9B5
_wcslen.LIBCMT ref: 000EC9F1
_wcslen.LIBCMT ref: 000ECA68
_wcslen.LIBCMT ref: 000ECA9E
_wcslen.LIBCMT ref: 000ECAF9
_wcslen.LIBCMT ref: 000ECB2F
_wcslen.LIBCMT ref: 000ECB7F

Strings

HKCC, xrefs: 000ECBAC
HKEY_CURRENT_USER, xrefs: 000ECBBD
HKU, xrefs: 000ECBF0
HKCR, xrefs: 000ECB29, 000ECB2E
HKCU, xrefs: 000ECBCE
HKEY_CURRENT_CONFIG, xrefs: 000ECB79, 000ECB7E
HKLM, xrefs: 000ECA98, 000ECA9D
HKEY_CLASSES_ROOT, xrefs: 000ECAF3, 000ECAF8
HKEY_LOCAL_MACHINE, xrefs: 000ECA62, 000ECA67
HKEY_USERS, xrefs: 000ECBDF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 1e10131bbbf0c2fb635fc9bb7be5dd9005ccac253cd6c47f0a84324815bf1700
Instruction ID: ab2594c214014c5a960aef2aab58e1d929e5b37887dfe94dccabb184c073e817
Opcode Fuzzy Hash: 1e10131bbbf0c2fb635fc9bb7be5dd9005ccac253cd6c47f0a84324815bf1700
Instruction Fuzzy Hash: 4571F7326001AA8FEB20DE7ED941DFF33D5AB60754F290125F866B7285E732CD468391

Function 000F833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000F835A
_wcslen.LIBCMT ref: 000F836E
_wcslen.LIBCMT ref: 000F8391
_wcslen.LIBCMT ref: 000F83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000F83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,000F5BF2), ref: 000F844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000F8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 000F84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000F8501
FreeLibrary.KERNEL32(?), ref: 000F850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000F851D
DestroyIcon.USER32(?,?,?,?,?,000F5BF2), ref: 000F852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000F8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000F8555

Strings

.icl, xrefs: 000F8368
.dll, xrefs: 000F83AB
.exe, xrefs: 000F8388

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a01b4469da88869610042da644b3ec5454a2833984d21ba581d353459ebcc025
Instruction ID: b00df35e8d22467cb814445270cfd1a51e2596d96e0071ea1c7e5df7285ed4ad
Opcode Fuzzy Hash: a01b4469da88869610042da644b3ec5454a2833984d21ba581d353459ebcc025
Instruction Fuzzy Hash: 9061F27150061ABBEB24DF64CC46FFE77A8BF04B10F108609FA15D65D1DB74AA90E7A0

Function 00067778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 00067873, 000678C5
#comments-start, xrefs: 0006785F, 000678B1
#ce, xrefs: 000678ED
Unterminated group of comments, xrefs: 000A528C
#notrayicon, xrefs: 000677E7
#OnAutoItStartRegister, xrefs: 00067817
#requireadmin, xrefs: 000677FF
Bad directive syntax error, xrefs: 000A519A
Cannot parse #include, xrefs: 000A5279
#include, xrefs: 00067847
#pragma compile, xrefs: 000677D3
#comments-end, xrefs: 000678D9
", xrefs: 000A5153
#include-once, xrefs: 0006782F
', xrefs: 000A5169

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: d2ba74f98f068d1d7bc00ac03f05b8018f20dbcec0a8cbaa3f45e8d4dd8deb47
Instruction ID: 8c86347b08d987c1864fbf628c28316896facb2badd8cdd9742344f0c26aecb6
Opcode Fuzzy Hash: d2ba74f98f068d1d7bc00ac03f05b8018f20dbcec0a8cbaa3f45e8d4dd8deb47
Instruction Fuzzy Hash: 5881F571A44609BBDB20AF60DC42FFE37AABF15304F144025FA09AB197EB70DA11D7A5

Function 000D3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 000D3EF8
_wcslen.LIBCMT ref: 000D3F03
_wcslen.LIBCMT ref: 000D3F5A
_wcslen.LIBCMT ref: 000D3F98
GetDriveTypeW.KERNEL32(?), ref: 000D3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000D401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000D4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000D4087

Strings

open, xrefs: 000D3F54, 000D3F59
type cdaudio alias cd wait, xrefs: 000D4001
close, xrefs: 000D3EFE, 000D3F18
close cd wait, xrefs: 000D4072
wait, xrefs: 000D4044
open , xrefs: 000D3FE5
set cd door , xrefs: 000D4028
closed, xrefs: 000D3F08, 000D3F2D, 000D3F46, 000D3F7E, 000D3F97

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 4406522f9350c03742ce5de0ce59a47154fed9b99703ca8e85b5083e0097e15d
Instruction ID: 5c4ca487c51c1fcb1bf5a9857834bce4ee69fe2992e21b17b84d1a4df8060338
Opcode Fuzzy Hash: 4406522f9350c03742ce5de0ce59a47154fed9b99703ca8e85b5083e0097e15d
Instruction Fuzzy Hash: 2871C1326043159FC310EF24C8819AAB7F5EF94758F50492EF49697392EB31EE45CBA2

Function 000C5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 000C5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000C5A40
SetWindowTextW.USER32(?,?), ref: 000C5A57
GetDlgItem.USER32(?,000003EA), ref: 000C5A6C
SetWindowTextW.USER32(00000000,?), ref: 000C5A72
GetDlgItem.USER32(?,000003E9), ref: 000C5A82
SetWindowTextW.USER32(00000000,?), ref: 000C5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 000C5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 000C5AC3
GetWindowRect.USER32(?,?), ref: 000C5ACC
_wcslen.LIBCMT ref: 000C5B33
SetWindowTextW.USER32(?,?), ref: 000C5B6F
GetDesktopWindow.USER32 ref: 000C5B75
GetWindowRect.USER32(00000000), ref: 000C5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 000C5BD3
GetClientRect.USER32(?,?), ref: 000C5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 000C5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 000C5C2F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: c81d47ba99ff59526675f19a528d58a3d2d1c977124353c80dbbce883d321905
Instruction ID: 2d28bcb995bfb254691666952ad613e2e246c228332e15f6a94fa81f0016bf65
Opcode Fuzzy Hash: c81d47ba99ff59526675f19a528d58a3d2d1c977124353c80dbbce883d321905
Instruction Fuzzy Hash: F8714A35900B09AFEB20DFA9CE86FAEBBF5FB48705F10451CE142A25A0D775B984DB50

Function 000DFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 000DFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 000DFE32
LoadCursorW.USER32(00000000,00007F00), ref: 000DFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 000DFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 000DFE53
LoadCursorW.USER32(00000000,00007F01), ref: 000DFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 000DFE69
LoadCursorW.USER32(00000000,00007F88), ref: 000DFE74
LoadCursorW.USER32(00000000,00007F80), ref: 000DFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 000DFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 000DFE95
LoadCursorW.USER32(00000000,00007F85), ref: 000DFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 000DFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 000DFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 000DFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 000DFECC
GetCursorInfo.USER32(?), ref: 000DFEDC
GetLastError.KERNEL32 ref: 000DFF1E

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: ec2c86f87262b80eee3d53d61ac8c8d31e9ae85f86866b9e630b06e770a469b0
Instruction ID: 052911642649d9028b9141fa204e5ef63a46bba1ff67ea2ea72bbce23b0a9887
Opcode Fuzzy Hash: ec2c86f87262b80eee3d53d61ac8c8d31e9ae85f86866b9e630b06e770a469b0
Instruction Fuzzy Hash: 92412570D0431AAADB509FB68C85C6EBFE9FF04754B50853AE11DE7281DB789901CEA1

Function 000800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000800C6

Part of subcall function 000800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0013070C,00000FA0,B740A5DB,?,?,?,?,000A23B3,000000FF), ref: 0008011C
Part of subcall function 000800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,000A23B3,000000FF), ref: 00080127
Part of subcall function 000800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,000A23B3,000000FF), ref: 00080138
Part of subcall function 000800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0008014E
Part of subcall function 000800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0008015C
Part of subcall function 000800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0008016A
Part of subcall function 000800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00080195
Part of subcall function 000800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000801A0

___scrt_fastfail.LIBCMT ref: 000800E7

Part of subcall function 000800A3: __onexit.LIBCMT ref: 000800A9

Strings

WakeAllConditionVariable, xrefs: 00080162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00080122
kernel32.dll, xrefs: 00080133
InitializeConditionVariable, xrefs: 00080148
SleepConditionVariableCS, xrefs: 00080154

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 666afee78a928513938ba1da29213c5200eb440b56eb5ba40ab8914e9685a135
Instruction ID: 5cf030e546f76d2305568f0837647127feca41eb3f941213fbd9878b18f4a536
Opcode Fuzzy Hash: 666afee78a928513938ba1da29213c5200eb440b56eb5ba40ab8914e9685a135
Instruction Fuzzy Hash: DE212932A4171A6BFB617B64AC0AF7D33D4FF46B60F000135FA8196A92DB789C04DB94

Function 000C30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000C318D
_wcslen.LIBCMT ref: 000C31F8

Strings

CLASS, xrefs: 000C3188, 000C31A5
CLASSNN, xrefs: 000C31F3, 000C3204
INSTANCE, xrefs: 000C3453
REGEXPCLASS, xrefs: 000C3255, 000C3266
TEXT, xrefs: 000C347C
NAME, xrefs: 000C3335, 000C3346

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 5737b464f98fc3fd0d4eb3d3adc8fe2843bff176fc94c09efff2b75c1a728099
Instruction ID: 13739b1d0fa8921cb07245cb7ba8c562b5a2dd69b78c1e2881a6fc7c56202b20
Opcode Fuzzy Hash: 5737b464f98fc3fd0d4eb3d3adc8fe2843bff176fc94c09efff2b75c1a728099
Instruction Fuzzy Hash: 4DE1C132A10526ABCB689FA8C481FEEBBB5BF54710F54C11DE456B7241DB30AF858790

Function 000D44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,000FCC08), ref: 000D4527
_wcslen.LIBCMT ref: 000D453B
_wcslen.LIBCMT ref: 000D4599
_wcslen.LIBCMT ref: 000D45F4
_wcslen.LIBCMT ref: 000D463F
_wcslen.LIBCMT ref: 000D46A7

Part of subcall function 0007F9F2: _wcslen.LIBCMT ref: 0007F9FD

GetDriveTypeW.KERNEL32(?,00126BF0,00000061), ref: 000D4743

Strings

removable, xrefs: 000D45EA, 000D45EF
cdrom, xrefs: 000D458F, 000D4594
fixed, xrefs: 000D4635, 000D463A
ramdisk, xrefs: 000D46F1
network, xrefs: 000D469D, 000D46A2
all, xrefs: 000D4531, 000D4536
unknown, xrefs: 000D4708

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 61d89ddd80a0b656c778f3076108dd7d71e28d5b3d29a51376210efef7c5e920
Instruction ID: f2c3122a08852b6988992ecd27e8ca6642ce4ba4bdb75af3675368e695f91d0f
Opcode Fuzzy Hash: 61d89ddd80a0b656c778f3076108dd7d71e28d5b3d29a51376210efef7c5e920
Instruction Fuzzy Hash: D5B1C0316083029FC720DF28D890AAEB7E5AFA5764F50491EF49AD7396D730D944CBA2

Function 000E3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000FCC08), ref: 000E40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 000E40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,000FCC08), ref: 000E40F2
FreeLibrary.KERNEL32(00000000,?,000FCC08), ref: 000E413E
StringFromGUID2.OLE32(?,?,00000028,?,000FCC08), ref: 000E41A8
SysFreeString.OLEAUT32(00000009), ref: 000E4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 000E42C8
SysFreeString.OLEAUT32(?), ref: 000E42F2

Strings

GetModuleHandleExW, xrefs: 000E40C7
kernel32.dll, xrefs: 000E40B6

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: bf3d9c381f1ec2d00a013cfb968a9ee4fbb46ea98d3e62a11a63a01a5272ecd0
Instruction ID: 358475b5ebc10586778dbd238a4a9019bd84f7732898c1a007670d044f05954e
Opcode Fuzzy Hash: bf3d9c381f1ec2d00a013cfb968a9ee4fbb46ea98d3e62a11a63a01a5272ecd0
Instruction Fuzzy Hash: 20125B75A00249EFDB54CF95C884EAEB7B9FF45314F248098F905AB252C731ED46CBA0

Function 0006326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00131990), ref: 000A2F8D
GetMenuItemCount.USER32(00131990), ref: 000A303D
GetCursorPos.USER32(?), ref: 000A3081
SetForegroundWindow.USER32(00000000), ref: 000A308A
TrackPopupMenuEx.USER32(00131990,00000000,?,00000000,00000000,00000000), ref: 000A309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000A30A9

Strings

0, xrefs: 0006327D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 92b65adbe6c29ff1ee18cba42d342d8325f2e3435d379979f9d09193c3981296
Instruction ID: 586a74c1467212343fa90cf33eb9b0f48c4f9407a0c6043360d6449606852bb7
Opcode Fuzzy Hash: 92b65adbe6c29ff1ee18cba42d342d8325f2e3435d379979f9d09193c3981296
Instruction Fuzzy Hash: F1712930644206BEFB319F68CC5AFAEBFA5FF01324F204226F5156A1E1C7B1A954DB90

Function 000F6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 000F6DEB

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000F6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000F6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000F6E94
DestroyWindow.USER32(?), ref: 000F6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00060000,00000000), ref: 000F6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000F6EFD
GetDesktopWindow.USER32 ref: 000F6F16
GetWindowRect.USER32(00000000), ref: 000F6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000F6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000F6F4D

Part of subcall function 00079944: GetWindowLongW.USER32(?,000000EB), ref: 00079952

Strings

0, xrefs: 000F6D98
tooltips_class32, xrefs: 000F6E58, 000F6EDD

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 4ba337036b97152313cbeb7c173d84eedb6060b5241df5869b8a876ebfce1dd0
Instruction ID: f4d391576c918c40954889be62b9ff2b2d749c79e6556aad4081c3aa9983d0f5
Opcode Fuzzy Hash: 4ba337036b97152313cbeb7c173d84eedb6060b5241df5869b8a876ebfce1dd0
Instruction Fuzzy Hash: 94717C71104248AFEB21CF18DC44FBABBE9FB89304F08042DFA8987661C775AD49EB11

Function 000F911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

DragQueryPoint.SHELL32(?,?), ref: 000F9147

Part of subcall function 000F7674: ClientToScreen.USER32(?,?), ref: 000F769A
Part of subcall function 000F7674: GetWindowRect.USER32(?,?), ref: 000F7710
Part of subcall function 000F7674: PtInRect.USER32(?,?,000F8B89), ref: 000F7720

SendMessageW.USER32(?,000000B0,?,?), ref: 000F91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000F91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000F91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 000F9225
SendMessageW.USER32(?,000000B0,?,?), ref: 000F923E
SendMessageW.USER32(?,000000B1,?,?), ref: 000F9255
SendMessageW.USER32(?,000000B1,?,?), ref: 000F9277
DragFinish.SHELL32(?), ref: 000F927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 000F9371

Strings

@GUI_DRAGFILE, xrefs: 000F9320
@GUI_DRAGID, xrefs: 000F92E9
@GUI_DROPID, xrefs: 000F929E

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 4cdf60fe743c86bd26700a88f5ed895536a82e71be68c4bba656bff419468942
Instruction ID: 627552209be8d4c8592517e0e8ccd90908cfbdf7fd7c88bedfd67dfcc263a2c1
Opcode Fuzzy Hash: 4cdf60fe743c86bd26700a88f5ed895536a82e71be68c4bba656bff419468942
Instruction Fuzzy Hash: 0C618971108304AFD701EF60DD85EAFBBE9EF88750F00092EF595925A1DB709A49DB52

Function 000DC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000DC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000DC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000DC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000DC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 000DC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000DC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000DC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000DC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000DC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000DC5F0
InternetCloseHandle.WININET(00000000), ref: 000DC5FB

Strings

, xrefs: 000DC575

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 618f39c9e2f0ba45b3dcd1dc4a17dddf7c2289020e35db0739875ccc857eab65
Instruction ID: 1adfc3c0c3fa835b4401dc18e593c113278179b9b18c3e0d1d2415a520f12a1c
Opcode Fuzzy Hash: 618f39c9e2f0ba45b3dcd1dc4a17dddf7c2289020e35db0739875ccc857eab65
Instruction Fuzzy Hash: F65138B150070AAFFB219F609989EBA7BFCEB08744F00441AB94696610DB34E944EB70

Function 000F856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 000F8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85BA
GlobalLock.KERNEL32(00000000), ref: 000F85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85D7
GlobalUnlock.KERNEL32(00000000), ref: 000F85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,000FFC38,?), ref: 000F8611
GlobalFree.KERNEL32(00000000), ref: 000F8621
GetObjectW.GDI32(?,00000018,?), ref: 000F8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 000F8671
DeleteObject.GDI32(?), ref: 000F8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 000F86AF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: f698e9ae40ff09ec0afbaf0737729b9730d0eea3c99aa1698479af11b47c9e5a
Instruction ID: aa0f6b5011b8f1a8808dd4976714367a9d8c86ab45d42577eaad7820b0ec21ac
Opcode Fuzzy Hash: f698e9ae40ff09ec0afbaf0737729b9730d0eea3c99aa1698479af11b47c9e5a
Instruction Fuzzy Hash: C5410975600208AFEB11DFA5CD49EBA7BB8FF89B51F108058F905EB660DB349901EB60

Function 000D14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 000D1502
VariantCopy.OLEAUT32(?,?), ref: 000D150B
VariantClear.OLEAUT32(?), ref: 000D1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 000D15FB
VarR8FromDec.OLEAUT32(?,?), ref: 000D1657
VariantInit.OLEAUT32(?), ref: 000D1708
SysFreeString.OLEAUT32(?), ref: 000D178C
VariantClear.OLEAUT32(?), ref: 000D17D8
VariantClear.OLEAUT32(?), ref: 000D17E7
VariantInit.OLEAUT32(00000000), ref: 000D1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 000D1625
Default, xrefs: 000D16AF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 24c468c883842f386768c347db93b669da853a5a58b48df8d9519862f078bd24
Instruction ID: 60329311489bdfc1d384d07ba6dec3227ae5940a4a7fd35d71add03bfd17ac1f
Opcode Fuzzy Hash: 24c468c883842f386768c347db93b669da853a5a58b48df8d9519862f078bd24
Instruction Fuzzy Hash: 3AD1CC71A00A05EBEB209F65E885BFDB7B6BF45700F108056E416AB695DF38EC40DBA1

Function 000EB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EB6AE,?,?), ref: 000EC9B5
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000EC9F1
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA68
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000EB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000EB772
RegDeleteValueW.ADVAPI32(?,?), ref: 000EB80A
RegCloseKey.ADVAPI32(?), ref: 000EB87E
RegCloseKey.ADVAPI32(?), ref: 000EB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 000EB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000EB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 000EB922
FreeLibrary.KERNEL32(00000000), ref: 000EB983
RegCloseKey.ADVAPI32(00000000), ref: 000EB994

Strings

advapi32.dll, xrefs: 000EB8ED
RegDeleteKeyExW, xrefs: 000EB8FE

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: fee6280d4bbda68d65ae2d1fa985d5fedd7fd843fc23bb64564fafabc23f746e
Instruction ID: 4c26cccb72d9a364ba08cd74033091a40efb836fb55eb82e1e54b4655ca90701
Opcode Fuzzy Hash: fee6280d4bbda68d65ae2d1fa985d5fedd7fd843fc23bb64564fafabc23f746e
Instruction Fuzzy Hash: 96C1AC30208241AFE720DF15C495F6ABBE5BF84308F14849CE49A9B7A3CB75EC46CB91

Function 000E255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000E25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 000E25E8
CreateCompatibleDC.GDI32(?), ref: 000E25F4
SelectObject.GDI32(00000000,?), ref: 000E2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 000E266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 000E26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 000E26D0
SelectObject.GDI32(?,?), ref: 000E26D8
DeleteObject.GDI32(?), ref: 000E26E1
DeleteDC.GDI32(?), ref: 000E26E8
ReleaseDC.USER32(00000000,?), ref: 000E26F3

Strings

(, xrefs: 000E268D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b6736f5e1d794a6865aea941abc9cacef494c50f9b5e023a484f194e820da189
Instruction ID: c1db3acf8eeeb616bbb184c28fd64c2ed86dbea4ef802e0718f5315eab22bde2
Opcode Fuzzy Hash: b6736f5e1d794a6865aea941abc9cacef494c50f9b5e023a484f194e820da189
Instruction Fuzzy Hash: 4E611175D00209EFDF04CFA8C985EAEBBB9FF48300F208529E955A7250D734A951DFA0

Function 0009DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0009DAA1

Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D659
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D66B
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D67D
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D68F
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D6A1
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D6B3
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D6C5
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D6D7
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D6E9
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D6FB
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D70D
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D71F
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D731

_free.LIBCMT ref: 0009DA96

Part of subcall function 000929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000), ref: 000929DE
Part of subcall function 000929C8: GetLastError.KERNEL32(00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000,00000000), ref: 000929F0

_free.LIBCMT ref: 0009DAB8
_free.LIBCMT ref: 0009DACD
_free.LIBCMT ref: 0009DAD8
_free.LIBCMT ref: 0009DAFA
_free.LIBCMT ref: 0009DB0D
_free.LIBCMT ref: 0009DB1B
_free.LIBCMT ref: 0009DB26
_free.LIBCMT ref: 0009DB5E
_free.LIBCMT ref: 0009DB65
_free.LIBCMT ref: 0009DB82
_free.LIBCMT ref: 0009DB9A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9d77aa090806268c39af5a8b52cb429aa839f15595ea721e0dc732780d1e2848
Instruction ID: d7d0c5c6b1a32dff7a208a500923ea75f75dbff2d4b5eb0591e0c95c4c0986ab
Opcode Fuzzy Hash: 9d77aa090806268c39af5a8b52cb429aa839f15595ea721e0dc732780d1e2848
Instruction Fuzzy Hash: 1E318D31684305EFEF61AA39E845B9AB7E9FF10320F51441AE488D7192DF31EC50E760

Function 000C365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000C369C
_wcslen.LIBCMT ref: 000C36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000C3797
GetClassNameW.USER32(?,?,00000400), ref: 000C380C
GetDlgCtrlID.USER32(?), ref: 000C385D
GetWindowRect.USER32(?,?), ref: 000C3882
GetParent.USER32(?), ref: 000C38A0
ScreenToClient.USER32(00000000), ref: 000C38A7
GetClassNameW.USER32(?,?,00000100), ref: 000C3921
GetWindowTextW.USER32(?,?,00000400), ref: 000C395D

Strings

%s%u, xrefs: 000C3734

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 6273feb5cd925072d5aff5e60ed01520298e874d10cb1705f5e49e8c5e09ce72
Instruction ID: 32ddb1a9c937f25c311f5e1e7af4038873214222d3b83d4af3279b462d76d6b2
Opcode Fuzzy Hash: 6273feb5cd925072d5aff5e60ed01520298e874d10cb1705f5e49e8c5e09ce72
Instruction Fuzzy Hash: 6291AC71214606AFDB18DF24C885FEEB7E8FF44350F00862DF999D2191DB34AA49CB91

Function 000C4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 000C4994
GetWindowTextW.USER32(?,?,00000400), ref: 000C49DA
_wcslen.LIBCMT ref: 000C49EB
CharUpperBuffW.USER32(?,00000000), ref: 000C49F7
_wcsstr.LIBVCRUNTIME ref: 000C4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 000C4A64
GetWindowTextW.USER32(?,?,00000400), ref: 000C4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 000C4AE6
GetClassNameW.USER32(?,?,00000400), ref: 000C4B20
GetWindowRect.USER32(?,?), ref: 000C4B8B

Strings

ThumbnailClass, xrefs: 000C4A6F, 000C4AF1

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 15f865f23e250ba49c35ebe1a7a62e5e79a9abdd77b03dc2b0da926635fb724d
Instruction ID: f8f97fbdf640933fe6fc64aaf5a468dc59df8afec25700833933fb3749579753
Opcode Fuzzy Hash: 15f865f23e250ba49c35ebe1a7a62e5e79a9abdd77b03dc2b0da926635fb724d
Instruction Fuzzy Hash: 8E9189710082099BEB04DF14C995FAE77E8FF84314F04846DFD859A1A6DB34ED45CBA2

Function 000F8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000F8D5A
GetFocus.USER32 ref: 000F8D6A
GetDlgCtrlID.USER32(00000000), ref: 000F8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 000F8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 000F8ECF
GetMenuItemCount.USER32(?), ref: 000F8EEC
GetMenuItemID.USER32(?,00000000), ref: 000F8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 000F8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 000F8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000F8FA1

Strings

0, xrefs: 000F8E9F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 30a6fff6d83c07251e0002a5483376294211c96bf992440f6aa06c423c0650ab
Instruction ID: 1b91bd8aa92e753608a4ca9d844d213c8a9cf8d1036e7d3bff338b7b6520eefb
Opcode Fuzzy Hash: 30a6fff6d83c07251e0002a5483376294211c96bf992440f6aa06c423c0650ab
Instruction Fuzzy Hash: 8781BF71508309AFE710CF14C885AFB7BE9FF88714F048969FA8597A92DB30D944EB61

Function 000CBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00131990,000000FF,00000000,00000030), ref: 000CBFAC
SetMenuItemInfoW.USER32(00131990,00000004,00000000,00000030), ref: 000CBFE1
Sleep.KERNEL32(000001F4), ref: 000CBFF3
GetMenuItemCount.USER32(?), ref: 000CC039
GetMenuItemID.USER32(?,00000000), ref: 000CC056
GetMenuItemID.USER32(?,-00000001), ref: 000CC082
GetMenuItemID.USER32(?,?), ref: 000CC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000CC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000CC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000CC145

Strings

0, xrefs: 000CBF3D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 3deda4e16bc8b17863303f3c6421a21b5d4c1f8271904bb8a3d4858a4270559b
Instruction ID: 65c29133eeb4522208e94a898db2941745f2431f2b609ade2f559cfe33452d87
Opcode Fuzzy Hash: 3deda4e16bc8b17863303f3c6421a21b5d4c1f8271904bb8a3d4858a4270559b
Instruction Fuzzy Hash: 21616AB090024AAFFB21CF64CD89FEE7BA8EB46354F140159E915A3292C735AD45DB60

Function 000CDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 000CDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 000CDC46
_wcslen.LIBCMT ref: 000CDC50
_wcsstr.LIBVCRUNTIME ref: 000CDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 000CDCBC

Strings

04090000, xrefs: 000CDCF2
StringFileInfo\, xrefs: 000CDC8F
%u.%u.%u.%u, xrefs: 000CDD9A
\VarFileInfo\Translation, xrefs: 000CDCB4
DefaultLangCodepage, xrefs: 000CDD1F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 9584d5eb4fe422bc2c86dcd20a63e4bb24a981c3b7045844beb33d37c419964f
Instruction ID: d9c283249cf0dbb8d71689849a15fb7631800bc7894fd59ba18ae465e638d65c
Opcode Fuzzy Hash: 9584d5eb4fe422bc2c86dcd20a63e4bb24a981c3b7045844beb33d37c419964f
Instruction Fuzzy Hash: 0B412F329402097AEB10B7649C47FFF37ACEF52710F10406AFA05A6193EB789900ABA5

Function 000ECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000ECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 000ECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000ECD48

Part of subcall function 000ECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 000ECCAA
Part of subcall function 000ECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 000ECCBD
Part of subcall function 000ECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000ECCCF
Part of subcall function 000ECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000ECD05
Part of subcall function 000ECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000ECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 000ECCF3

Strings

advapi32.dll, xrefs: 000ECCB8
RegDeleteKeyExW, xrefs: 000ECCC9

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3882e3098319d5f2d12e415f55823434b2468e7521a841772c0d4023344fa277
Instruction ID: d72f8a90ab629d0ee761858e796009bface85f40a4144e55e4a37614d0486e62
Opcode Fuzzy Hash: 3882e3098319d5f2d12e415f55823434b2468e7521a841772c0d4023344fa277
Instruction Fuzzy Hash: 56316E7190112DBFFB208B55DC89EFFBBBCEF56750F000165E905E2240DB359A46EAA0

Function 000D3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000D3D40
_wcslen.LIBCMT ref: 000D3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 000D3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 000D3DBE
RemoveDirectoryW.KERNEL32(?), ref: 000D3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 000D3E55
CloseHandle.KERNEL32(00000000), ref: 000D3E60
CloseHandle.KERNEL32(00000000), ref: 000D3E6B

Strings

\, xrefs: 000D3D77
\??\%s, xrefs: 000D3D5B
:, xrefs: 000D3D82

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: fc83bd37a5d6367295aa968982adf02719dee8431114fde50ba197312c1f231c
Instruction ID: d961ceb6f1f2246b25a5c3ed87146e0c76672d1aa24b8c2eabeb5f5c660e907e
Opcode Fuzzy Hash: fc83bd37a5d6367295aa968982adf02719dee8431114fde50ba197312c1f231c
Instruction Fuzzy Hash: 3B319071900209AAEB209BA0EC49FEF37BDEF89740F1041B6F509D61A1E7749744DB35

Function 000CE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000CE6B4

Part of subcall function 0007E551: timeGetTime.WINMM(?,?,000CE6D4), ref: 0007E555

Sleep.KERNEL32(0000000A), ref: 000CE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 000CE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 000CE727
SetActiveWindow.USER32 ref: 000CE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000CE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 000CE773
Sleep.KERNEL32(000000FA), ref: 000CE77E
IsWindow.USER32 ref: 000CE78A
EndDialog.USER32(00000000), ref: 000CE79B

Strings

BUTTON, xrefs: 000CE719

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 18315aafac8813e4df2ff8cbb35c3d1c9646c56b804a85d372e91d38b4471e33
Instruction ID: 733b16c5bc21965c62021ac0f2ee5715c86d6982bf6858469c523e61a9736367
Opcode Fuzzy Hash: 18315aafac8813e4df2ff8cbb35c3d1c9646c56b804a85d372e91d38b4471e33
Instruction Fuzzy Hash: C42193B1204688AFFB106F61ED8BF3D3BA9FB55748F205428F905C19B1DB75AC50EA24

Function 000CE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000CEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000CEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000CEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000CEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000CEAA7

Strings

play PlayMe, xrefs: 000CEAA2
play PlayMe wait, xrefs: 000CEA91
status PlayMe mode, xrefs: 000CEA58
alias PlayMe, xrefs: 000CEA36
open , xrefs: 000CEA0C
close PlayMe, xrefs: 000CEA6E, 000CEA9B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: b9d68b2756fbaab2a56aadb3259eda695fa2758bf3d0f766257291599c1886d7
Instruction ID: 7c8b8aa7fb3f90a4834e22ddd7ea3f64c0295763229398b0667d0a5f62c803c3
Opcode Fuzzy Hash: b9d68b2756fbaab2a56aadb3259eda695fa2758bf3d0f766257291599c1886d7
Instruction Fuzzy Hash: B2115631A902697DDB20A7A1ED4AEFF6ABCEFD2B04F4004297411A20D1EF705E55C9B1

Function 000C9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000CA012
SetKeyboardState.USER32(?), ref: 000CA07D
GetAsyncKeyState.USER32(000000A0), ref: 000CA09D
GetKeyState.USER32(000000A0), ref: 000CA0B4
GetAsyncKeyState.USER32(000000A1), ref: 000CA0E3
GetKeyState.USER32(000000A1), ref: 000CA0F4
GetAsyncKeyState.USER32(00000011), ref: 000CA120
GetKeyState.USER32(00000011), ref: 000CA12E
GetAsyncKeyState.USER32(00000012), ref: 000CA157
GetKeyState.USER32(00000012), ref: 000CA165
GetAsyncKeyState.USER32(0000005B), ref: 000CA18E
GetKeyState.USER32(0000005B), ref: 000CA19C

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0df17583a3bd75be6836ef6101ddffe357a6e3f4b9d11f48286d44488ba58754
Instruction ID: dc255f2d67392df68275be1ce5133077e5a06448b94693ae15ad0c61eadc1e67
Opcode Fuzzy Hash: 0df17583a3bd75be6836ef6101ddffe357a6e3f4b9d11f48286d44488ba58754
Instruction Fuzzy Hash: 1E51A420A0478C2AFB75DBB08815FEEBFF49F12384F08859DD9C2561C3DA54AA4CC762

Function 000C5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 000C5CE2
GetWindowRect.USER32(00000000,?), ref: 000C5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 000C5D59
GetDlgItem.USER32(?,00000002), ref: 000C5D69
GetWindowRect.USER32(00000000,?), ref: 000C5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 000C5DCF
GetDlgItem.USER32(?,000003E9), ref: 000C5DDD
GetWindowRect.USER32(00000000,?), ref: 000C5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 000C5E31
GetDlgItem.USER32(?,000003EA), ref: 000C5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000C5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 000C5E67

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7b0618807ee4b930a0e3a4954fde7c4aeeb9f0f0caca823a53c20b6de58f06b0
Instruction ID: 39c358436396f98840f90bcb39e76d0b15c089951f899cb717e99a26ed229dd4
Opcode Fuzzy Hash: 7b0618807ee4b930a0e3a4954fde7c4aeeb9f0f0caca823a53c20b6de58f06b0
Instruction Fuzzy Hash: 47511F74A00609AFEF18CF68DD8AEAE7BB5EB48301F108129F516E7690D774AE40CB50

Function 00078BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00078F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00078BE8,?,00000000,?,?,?,?,00078BBA,00000000,?), ref: 00078FC5

DestroyWindow.USER32(?), ref: 00078C81
KillTimer.USER32(00000000,?,?,?,?,00078BBA,00000000,?), ref: 00078D1B
DestroyAcceleratorTable.USER32(00000000), ref: 000B6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00078BBA,00000000,?), ref: 000B69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00078BBA,00000000,?), ref: 000B69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00078BBA,00000000), ref: 000B69D4
DeleteObject.GDI32(00000000), ref: 000B69E6

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 28429eec086bfa4135487b7968a80e5d5f4992b6a7fa9a0ff8442b79301c88ca
Instruction ID: 143f5e96b093a366e5a00d450dcc162938261167eadd394dcbd0eb1d77abe640
Opcode Fuzzy Hash: 28429eec086bfa4135487b7968a80e5d5f4992b6a7fa9a0ff8442b79301c88ca
Instruction Fuzzy Hash: 7D618C30901604EFEB369F14CA4DB69B7F1FB40316F14C52CE04696960CB3AAC90DF99

Function 00079838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00079944: GetWindowLongW.USER32(?,000000EB), ref: 00079952

GetSysColor.USER32(0000000F), ref: 00079862

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 66d2515bac2e371a6a372811da64def18010c74089f1134e49c0bda37970b474
Instruction ID: 671ec7624e915adc744c59630204c3d02d11f8e87e90366b027a600d80f22073
Opcode Fuzzy Hash: 66d2515bac2e371a6a372811da64def18010c74089f1134e49c0bda37970b474
Instruction Fuzzy Hash: E441F631504644AFEB709F389C85BB937A5FB47330F148655F9AA872E1CB399C41DB21

Function 000C96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,000AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 000C9717
LoadStringW.USER32(00000000,?,000AF7F8,00000001), ref: 000C9720

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,000AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 000C9742
LoadStringW.USER32(00000000,?,000AF7F8,00000001), ref: 000C9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 000C9866

Strings

Line %d:, xrefs: 000C97A0
%s (%d) : ==> %s: %s %s, xrefs: 000C984A
Line %d (File "%s"):, xrefs: 000C978F
^ ERROR, xrefs: 000C97FB
Error: , xrefs: 000C981D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 6247d1d697fb8b8bc912d38871cb4386145d268d0fb28fc6cf5daa18b23049b1
Instruction ID: f0ac505f02d032746b3a6c1e739b2d9da27c6c6d6c93579a14e0847a431caf40
Opcode Fuzzy Hash: 6247d1d697fb8b8bc912d38871cb4386145d268d0fb28fc6cf5daa18b23049b1
Instruction Fuzzy Hash: 5C412C72900219AADB04FBE0DE86EEE7779AF55340F500065F60572193EF356F48DBA1

Function 000C06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000C07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000C07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000C07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 000C0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 000C082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000C0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000C083C

Strings

\IPC$, xrefs: 000C0784
\CLSID, xrefs: 000C0724
SOFTWARE\Classes\, xrefs: 000C070E

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 6a6fa81569f80bf2f5969dd91ca88d547cb0f5ac1c847775defa9603d8f545fe
Instruction ID: 73c71e3e9ca68248b9a53350dcb8598b9d7e2b9cdc380b4bd89c57db31f611a3
Opcode Fuzzy Hash: 6a6fa81569f80bf2f5969dd91ca88d547cb0f5ac1c847775defa9603d8f545fe
Instruction Fuzzy Hash: 84410572D10229EBDF15EBA4DC95DEDB7B9BF04750B144129E901B3161EB30AE44CBA0

Function 000F3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 000F403B
CreateCompatibleDC.GDI32(00000000), ref: 000F4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 000F4055
SelectObject.GDI32(00000000,00000000), ref: 000F405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 000F4068
DeleteDC.GDI32(00000000), ref: 000F4072
GetWindowLongW.USER32(?,000000EC), ref: 000F407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 000F4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 000F409E

Strings

static, xrefs: 000F3FD3

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f7c54939f0e6037ea0151a5d200531bbf416587b8d47dd70df2a91345baa1718
Instruction ID: b78c285a5020caed0a4fa3d09a57e592e3e673ff4a055c79fc28bde0534cbbbc
Opcode Fuzzy Hash: f7c54939f0e6037ea0151a5d200531bbf416587b8d47dd70df2a91345baa1718
Instruction Fuzzy Hash: 0E314B32501219ABEF219FA4CD09FEA3BA9FF09720F110211FB14E65A1CB79D860EB54

Function 000E3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000E3C5C
CoInitialize.OLE32(00000000), ref: 000E3C8A
CoUninitialize.OLE32 ref: 000E3C94
_wcslen.LIBCMT ref: 000E3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 000E3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 000E3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 000E3F0E
CoGetObject.OLE32(?,00000000,000FFB98,?), ref: 000E3F2D
SetErrorMode.KERNEL32(00000000), ref: 000E3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000E3FC4
VariantClear.OLEAUT32(?), ref: 000E3FD8

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 5672c61ff86f33d746930f266fefde7e5367904eb5c5345c5a3b01e14993cf6c
Instruction ID: 07c174fa1d719bb0fb9902718885c917794c3b6d3661ab77721ca1591226420b
Opcode Fuzzy Hash: 5672c61ff86f33d746930f266fefde7e5367904eb5c5345c5a3b01e14993cf6c
Instruction Fuzzy Hash: 69C176716083459FD700DF29C88896BBBE9FF89744F10492DF98AAB251DB31EE05CB52

Function 000D7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000D7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000D7B8F
SHGetDesktopFolder.SHELL32(?), ref: 000D7BA3
CoCreateInstance.OLE32(000FFD08,00000000,00000001,00126E6C,?), ref: 000D7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000D7C74
CoTaskMemFree.OLE32(?,?), ref: 000D7CCC
SHBrowseForFolderW.SHELL32(?), ref: 000D7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000D7D7A
CoTaskMemFree.OLE32(00000000), ref: 000D7D81
CoTaskMemFree.OLE32(00000000), ref: 000D7DD6
CoUninitialize.OLE32 ref: 000D7DDC

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: fe56ddeee472d59189e83523fee71dcb3288f5d486d08be798c96746f6b0350a
Instruction ID: 67da072f517c7347a5a22a7401b7da7cd181228d0a9a09468a86d7c6dca4fb2c
Opcode Fuzzy Hash: fe56ddeee472d59189e83523fee71dcb3288f5d486d08be798c96746f6b0350a
Instruction Fuzzy Hash: 34C12D75A04209AFDB14DF64C884DAEBBF9FF48314B148499E41ADB762DB30ED45CBA0

Function 000F541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000F5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000F5515
CharNextW.USER32(00000158), ref: 000F5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000F5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000F559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000F55AC

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 34bcb4a352540d674ed30dff3dd01b7be3c55ea408a4e3f61d3bae0bd8bb1c2d
Instruction ID: 9ab7ee73c36cdde67d16e8040b42caa58bed30b707f6c7ea6733b3375b7a76af
Opcode Fuzzy Hash: 34bcb4a352540d674ed30dff3dd01b7be3c55ea408a4e3f61d3bae0bd8bb1c2d
Instruction Fuzzy Hash: F7618F30904A0CABEF20DF54CC85DFE7BB9EB05726F108145FB25A6A91D7749A81EB60

Function 000BFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 000BFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 000BFB08
VariantInit.OLEAUT32(?), ref: 000BFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 000BFB3A
VariantCopy.OLEAUT32(?,?), ref: 000BFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 000BFBA1
VariantClear.OLEAUT32(?), ref: 000BFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 000BFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000BFBCC
VariantClear.OLEAUT32(?), ref: 000BFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000BFBE9

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: b343301f4ab0491ae70aed872085c2e349ba40fb2c3d88c12346b7d9972dbd37
Instruction ID: d8e38264d2beb17aad53dd7f773d4f17b9627e1837448b383460944d09a930c8
Opcode Fuzzy Hash: b343301f4ab0491ae70aed872085c2e349ba40fb2c3d88c12346b7d9972dbd37
Instruction Fuzzy Hash: 4C416E35A0021A9FEB04DF64CC55DFEBBB9EF48344F008469E945A7261CB74A945CBA0

Function 000C9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000C9CA1
GetAsyncKeyState.USER32(000000A0), ref: 000C9D22
GetKeyState.USER32(000000A0), ref: 000C9D3D
GetAsyncKeyState.USER32(000000A1), ref: 000C9D57
GetKeyState.USER32(000000A1), ref: 000C9D6C
GetAsyncKeyState.USER32(00000011), ref: 000C9D84
GetKeyState.USER32(00000011), ref: 000C9D96
GetAsyncKeyState.USER32(00000012), ref: 000C9DAE
GetKeyState.USER32(00000012), ref: 000C9DC0
GetAsyncKeyState.USER32(0000005B), ref: 000C9DD8
GetKeyState.USER32(0000005B), ref: 000C9DEA

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4552de8713b46880cd65f46af759cc469b40f1439983da9d060db10a42350351
Instruction ID: 37b2f7724dcb869f7f8286ecbb70fe251f2a4bea7986f0e53b9a0055929ddd58
Opcode Fuzzy Hash: 4552de8713b46880cd65f46af759cc469b40f1439983da9d060db10a42350351
Instruction Fuzzy Hash: BF41D674504BC969FFB08760984CBBDBEE06F21344F04805EDAC7665C2DBE49AC8D7A2

Function 000E055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000E05BC
inet_addr.WSOCK32(?), ref: 000E061C
gethostbyname.WSOCK32(?), ref: 000E0628
IcmpCreateFile.IPHLPAPI ref: 000E0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000E06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000E06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 000E07B9
WSACleanup.WSOCK32 ref: 000E07BF

Strings

Ping, xrefs: 000E0676

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2cd18dabc833c2ad942931fb5ef265309d8c8cdf669cde34daea5c7783268831
Instruction ID: 3f98e7ea25e59592b6a4fbc160ec26ea65da01ce914571be4ff8f968a9317f5c
Opcode Fuzzy Hash: 2cd18dabc833c2ad942931fb5ef265309d8c8cdf669cde34daea5c7783268831
Instruction Fuzzy Hash: D691B1359082419FD320CF16C989F1ABBE1AF44318F1485A9F4A99B6A2C7B4FD85CF91

Function 000E8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 000E8CF3

Part of subcall function 000C8E54: _wcslen.LIBCMT ref: 000C8E77

_wcslen.LIBCMT ref: 000E8D4E
_wcslen.LIBCMT ref: 000E8D9C
_wcslen.LIBCMT ref: 000E8DDC
_wcslen.LIBCMT ref: 000E8E6E

Strings

stdcall, xrefs: 000E8DD6, 000E8DDB
cdecl, xrefs: 000E8D48, 000E8D4D
none, xrefs: 000E8E65, 000E8E6A
winapi, xrefs: 000E8D96, 000E8D9B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: ad28ebaab82d9db2b37cd199f9348df43f260023ee17c78228c001355bcf214a
Instruction ID: db27ed321ceef7795368ea492a46a5382f04e184ebeb38d33aa1a0d78cb1ade3
Opcode Fuzzy Hash: ad28ebaab82d9db2b37cd199f9348df43f260023ee17c78228c001355bcf214a
Instruction Fuzzy Hash: DB51AF31A045569FCB24DF69C9409BEB3E6BF64320B218229E46AF73C5DB31DE40C790

Function 000E372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 000E3774
CoUninitialize.OLE32 ref: 000E377F
CoCreateInstance.OLE32(?,00000000,00000017,000FFB78,?), ref: 000E37D9
IIDFromString.OLE32(?,?), ref: 000E384C
VariantInit.OLEAUT32(?), ref: 000E38E4
VariantClear.OLEAUT32(?), ref: 000E3936

Strings

Invalid parameter, xrefs: 000E3865
Failed to create object, xrefs: 000E37E4, 000E389A
NULL Pointer assignment, xrefs: 000E381E

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 51a80b5134a251631ac82a0fc6a3b741e484652c3a57364b85c7f1caba71de07
Instruction ID: 4aafdd736c371f65dce06bbdd9df900a5c225322b15366021fa7a432a23c0741
Opcode Fuzzy Hash: 51a80b5134a251631ac82a0fc6a3b741e484652c3a57364b85c7f1caba71de07
Instruction Fuzzy Hash: 5F61AF70608341AFD320DF55C949FAEBBE8AF45714F100859F585A7292CB70EE48CB92

Function 000D3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 000D33CF

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 000D33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 000D3522
"%s" (%d) : ==> %s:%s%s, xrefs: 000D3504
Line %d (File "%s"):, xrefs: 000D3443, 000D345C
^ ERROR , xrefs: 000D349E
Incorrect parameters to object property !, xrefs: 000D34AB
Error: , xrefs: 000D34D1

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: eff92f4db08c180fc7eb31ad19dcf7573c16dd10a2fdc15c824a27f30193df1b
Instruction ID: 6f0a48279e499d551550a185b144d60b88a428c5fc5f228ba8b3290e81f19194
Opcode Fuzzy Hash: eff92f4db08c180fc7eb31ad19dcf7573c16dd10a2fdc15c824a27f30193df1b
Instruction Fuzzy Hash: DE518C32900219BADF15EBA0DE46EEEB7B9EF14340F104065F505721A2EB352F98DBA1

Function 000CB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000CB5FC
_wcslen.LIBCMT ref: 000CB608
_wcslen.LIBCMT ref: 000CB64D
_wcslen.LIBCMT ref: 000CB68C
_wcslen.LIBCMT ref: 000CB6C7

Strings

APPEND, xrefs: 000CB6C1, 000CB6C6
KEYS, xrefs: 000CB647, 000CB64C
EXISTS, xrefs: 000CB686, 000CB68B
REMOVE, xrefs: 000CB602, 000CB607

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 7433c7778581a41331a8f614f478a5ce8163d0df55fee62c486cc83bc3d010a9
Instruction ID: 7c890118b19e01840755e2ae0c249e5c13a88215fda12cd8aa90aca90e418ac3
Opcode Fuzzy Hash: 7433c7778581a41331a8f614f478a5ce8163d0df55fee62c486cc83bc3d010a9
Instruction Fuzzy Hash: 7D41B432A000279BCB606F7DC992ABE77E5AB60754F25422DE865D7284E739CD81C790

Function 000D5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000D53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000D5416
GetLastError.KERNEL32 ref: 000D5420
SetErrorMode.KERNEL32(00000000,READY), ref: 000D54A7

Strings

UNKNOWN, xrefs: 000D5444
READONLY, xrefs: 000D5452
INVALID, xrefs: 000D5459
NOTREADY, xrefs: 000D544B
READY, xrefs: 000D5460, 000D5468

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e08c8aed124256721fdb98d4d95e870b831fead112eff71627bd3576ca67ff68
Instruction ID: e12d01d3106e2f16fc1b20c64f141463091d214df9407c54bdc08b9ca1512bc5
Opcode Fuzzy Hash: e08c8aed124256721fdb98d4d95e870b831fead112eff71627bd3576ca67ff68
Instruction Fuzzy Hash: 1931A235A006089FD750DF68C985EEA7BF4EF4530AF14806AE805DB392D770DD82CBA2

Function 000F3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 000F3C79
SetMenu.USER32(?,00000000), ref: 000F3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000F3D10
IsMenu.USER32(?), ref: 000F3D24
CreatePopupMenu.USER32 ref: 000F3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000F3D5B
DrawMenuBar.USER32 ref: 000F3D63

Strings

F, xrefs: 000F3D4E
0, xrefs: 000F3C54

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: d290fae132313d49a56bffedb5da8cf674f5a509bce9b6ed6108e1725cb52247
Instruction ID: 487e6150eba5a419b90389469b6826481ed0def72d50a4782cce193d1c14ea29
Opcode Fuzzy Hash: d290fae132313d49a56bffedb5da8cf674f5a509bce9b6ed6108e1725cb52247
Instruction Fuzzy Hash: 04418874A01209EFEB14DF64E844EEA7BF5FF49320F140028EA46A7760D730AA10EF90

Function 000C1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000C3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 000C1F64
GetDlgCtrlID.USER32 ref: 000C1F6F
GetParent.USER32 ref: 000C1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 000C1F8E
GetDlgCtrlID.USER32(?), ref: 000C1F97
GetParent.USER32(?), ref: 000C1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 000C1FAE

Strings

ListBox, xrefs: 000C1F21
ComboBox, xrefs: 000C1EEC

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 575cedb75416c03f896f6dee72acbea5013bdb74a76f19db47a5a9241b95c2bb
Instruction ID: bba800ac5bac1f6b092f1081e57d5e9f01aaa8d81a9d8736a81d1647ef551fae
Opcode Fuzzy Hash: 575cedb75416c03f896f6dee72acbea5013bdb74a76f19db47a5a9241b95c2bb
Instruction Fuzzy Hash: 4621C270904218BBDF04AFA0DC85EFEBBB9EF16350B004119F961A7692CB385919EB60

Function 000C1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000C3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 000C2043
GetDlgCtrlID.USER32 ref: 000C204E
GetParent.USER32 ref: 000C206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 000C206D
GetDlgCtrlID.USER32(?), ref: 000C2076
GetParent.USER32(?), ref: 000C208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 000C208D

Strings

ListBox, xrefs: 000C2002
ComboBox, xrefs: 000C1FCD

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 61ac624959ad00f65ff60c7834d3572b7d1cacbb819d6f01c4bcfdd495ab3fda
Instruction ID: 2a176decd8908bed68a0b2bbd0314fef61a9491820c833fb1609256befb2affa
Opcode Fuzzy Hash: 61ac624959ad00f65ff60c7834d3572b7d1cacbb819d6f01c4bcfdd495ab3fda
Instruction Fuzzy Hash: 2021D771900218BBDF10AFA0DD85EFEBBB9EF15340F104006B951A75A2CB794514EB60

Function 000F3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000F3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 000F3AA0
GetWindowLongW.USER32(?,000000F0), ref: 000F3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000F3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 000F3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 000F3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 000F3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 000F3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 000F3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 000F3C13

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: e332aea036a71daaa1d1e7002d3e0ee106d2715db31236c14bd69dd41e55a140
Instruction ID: 81f22ef1d527b922de69a81e46765b3b73c17702c7c59cc5998405d74a4ab783
Opcode Fuzzy Hash: e332aea036a71daaa1d1e7002d3e0ee106d2715db31236c14bd69dd41e55a140
Instruction Fuzzy Hash: 1B615A75900248AFDB10DFA8CC81EFE77F8EB09714F104199FA15E72A2D774AA85EB50

Function 000CB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000CB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,000CA1E1,?,00000001), ref: 000CB165
GetWindowThreadProcessId.USER32(00000000), ref: 000CB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000CA1E1,?,00000001), ref: 000CB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 000CB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,000CA1E1,?,00000001), ref: 000CB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000CA1E1,?,00000001), ref: 000CB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,000CA1E1,?,00000001), ref: 000CB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,000CA1E1,?,00000001), ref: 000CB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,000CA1E1,?,00000001), ref: 000CB21D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f8872e633b59a77dc7d327812b9339627ec22b71466f4443806cb1ea6432f53a
Instruction ID: 449026286ffc62bbc590a2cd74ec9c3023156725d5735998476cd982c8b4f432
Opcode Fuzzy Hash: f8872e633b59a77dc7d327812b9339627ec22b71466f4443806cb1ea6432f53a
Instruction Fuzzy Hash: 09319A71500208BFEB249F28DD4AFBEBBA9BB51315F144009FA11D7590D7B89E80CF68

Function 00092C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00092C94

Part of subcall function 000929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000), ref: 000929DE
Part of subcall function 000929C8: GetLastError.KERNEL32(00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000,00000000), ref: 000929F0

_free.LIBCMT ref: 00092CA0
_free.LIBCMT ref: 00092CAB
_free.LIBCMT ref: 00092CB6
_free.LIBCMT ref: 00092CC1
_free.LIBCMT ref: 00092CCC
_free.LIBCMT ref: 00092CD7
_free.LIBCMT ref: 00092CE2
_free.LIBCMT ref: 00092CED
_free.LIBCMT ref: 00092CFB

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 079da8cd1c01cd45e57c100408ba3fa50c2c73760e2ce3e9f85699f6da02b975
Instruction ID: 2a92286bcfd8d667dbaeafd5aceaf0ac068a282f7ae9677fdb001fe547bdb63d
Opcode Fuzzy Hash: 079da8cd1c01cd45e57c100408ba3fa50c2c73760e2ce3e9f85699f6da02b975
Instruction Fuzzy Hash: D3114076510108BFCF02EF94D982CDD3BA9FF05350F9145A5FA889B222DA31EA50AB90

Function 000D7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000D7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 000D7FC1
GetFileAttributesW.KERNEL32(?), ref: 000D7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 000D8005
SetCurrentDirectoryW.KERNEL32(?), ref: 000D8017
SetCurrentDirectoryW.KERNEL32(?), ref: 000D8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000D80B0

Strings

*.*, xrefs: 000D8066

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: ab895eedc392d05ea4202e711bfc6d5b0d4f8db05581a9193e2ebe53b0286c95
Instruction ID: 6e3d2a15cdda8e9434d3e90aa5680ca5d50ff4538f9763104020c4636e5bf49b
Opcode Fuzzy Hash: ab895eedc392d05ea4202e711bfc6d5b0d4f8db05581a9193e2ebe53b0286c95
Instruction Fuzzy Hash: A3819E725083419BDB64EF14C844AAEB7E9BF88314F54486FF889C7351EB34DD458B62

Function 000F7E9E Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00C369F0), ref: 000F7F37
IsWindowEnabled.USER32(00C369F0), ref: 000F7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 000F801E
SendMessageW.USER32(00C369F0,000000B0,?,?), ref: 000F8051
IsDlgButtonChecked.USER32(?,?), ref: 000F8089
GetWindowLongW.USER32(00C369F0,000000EC), ref: 000F80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 000F80C3

Strings

InitializeCriticalSectionEx, xrefs: 000F80B1

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: InitializeCriticalSectionEx
API String ID: 4072528602-3084827643
Opcode ID: 44078c36d3a8b5be6c4fc4f9ce2f01906661b31d9741a59a8664df4d6ef071c1
Instruction ID: ba4d3bf886566a66334604502b60c4a7f20d2e68a87363319e44fff131061ffc
Opcode Fuzzy Hash: 44078c36d3a8b5be6c4fc4f9ce2f01906661b31d9741a59a8664df4d6ef071c1
Instruction Fuzzy Hash: 0471803460820DAFEB619F54CC95FFA7BF9FF09300F144469EA4997A61CB31A849EB11

Function 00065BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00065C7A

Part of subcall function 00065D0A: GetClientRect.USER32(?,?), ref: 00065D30
Part of subcall function 00065D0A: GetWindowRect.USER32(?,?), ref: 00065D71
Part of subcall function 00065D0A: ScreenToClient.USER32(?,?), ref: 00065D99

GetDC.USER32 ref: 000A46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000A4708
SelectObject.GDI32(00000000,00000000), ref: 000A4716
SelectObject.GDI32(00000000,00000000), ref: 000A472B
ReleaseDC.USER32(?,00000000), ref: 000A4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000A47C4

Strings

U, xrefs: 000A4693

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: bdd404fcfb433f482cf76a6b76fecb8ff8354ee13bffb6038a5c87ede394b551
Instruction ID: ddaea051ceab56f886917b9825d9cbf904aaeb4975178434924bf7080608e8db
Opcode Fuzzy Hash: bdd404fcfb433f482cf76a6b76fecb8ff8354ee13bffb6038a5c87ede394b551
Instruction Fuzzy Hash: D771EE38404249DFCF618FA4CD85AFE7BF2FF8A321F144269E9555A2A6C7B08881DF50

Function 000D359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 000D35E4

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

LoadStringW.USER32(00132390,?,00000FFF,?), ref: 000D360A

Strings

"%s" (%d) : ==> %s:, xrefs: 000D3742
"%s" (%d) : ==> %s:%s%s, xrefs: 000D3724
Line %d (File "%s"):, xrefs: 000D366B
^ ERROR, xrefs: 000D36C9
Error: , xrefs: 000D36EF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 6338928ba708ffdc78cf0af376d44e27e93e38d08febdce66d165e17c22ef862
Instruction ID: b5e659b2adf2626a2d3e9400ba86f07ffdf651ff7ac7cafc32b7711004c43605
Opcode Fuzzy Hash: 6338928ba708ffdc78cf0af376d44e27e93e38d08febdce66d165e17c22ef862
Instruction Fuzzy Hash: 11517E72800219BBDF14EBA0DD42EEEBB79EF14310F144125F505726A2EB316B99DFA1

Function 000F8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

Part of subcall function 0007912D: GetCursorPos.USER32(?), ref: 00079141
Part of subcall function 0007912D: ScreenToClient.USER32(00000000,?), ref: 0007915E
Part of subcall function 0007912D: GetAsyncKeyState.USER32(00000001), ref: 00079183
Part of subcall function 0007912D: GetAsyncKeyState.USER32(00000002), ref: 0007919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 000F8B6B
ImageList_EndDrag.COMCTL32 ref: 000F8B71
ReleaseCapture.USER32 ref: 000F8B77
SetWindowTextW.USER32(?,00000000), ref: 000F8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000F8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 000F8CFF

Strings

@GUI_DRAGFILE, xrefs: 000F8C9A
@GUI_DROPID, xrefs: 000F8C51

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 122cc784a8598ffa8a049cefbb55cb07069ec3bbbb6f03aa119c3566e6847a5f
Instruction ID: 7856e2ab25867f9cf8292df7e747583223df62dc9d9c5bf5b69879f1b89d58e3
Opcode Fuzzy Hash: 122cc784a8598ffa8a049cefbb55cb07069ec3bbbb6f03aa119c3566e6847a5f
Instruction Fuzzy Hash: 3E517C70204208AFE700DF14DD56FBA77E5FB88714F40052DFA56976E2CB749944DBA2

Function 000DC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000DC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000DC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000DC2CA
GetLastError.KERNEL32 ref: 000DC322
SetEvent.KERNEL32(?), ref: 000DC336
InternetCloseHandle.WININET(00000000), ref: 000DC341

Strings

, xrefs: 000DC2BB

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a9b52b0aa5c00eeb543829157ee48a9a2184e0b8eee91a922a83eef4df793583
Instruction ID: b454627e3b21f0773ba6c6f6d949786e33b63362148220d1e5b9fd17961493d3
Opcode Fuzzy Hash: a9b52b0aa5c00eeb543829157ee48a9a2184e0b8eee91a922a83eef4df793583
Instruction Fuzzy Hash: F3317AB1604309AFFB61AF648989EBB7AFCEB49740B14851EB44692701DB34DE04DB70

Function 000C989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000A3AAF,?,?,Bad directive syntax error,000FCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 000C98BC
LoadStringW.USER32(00000000,?,000A3AAF,?), ref: 000C98C3

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000C9987

Strings

Line %d:, xrefs: 000C9912
., xrefs: 000C996D
Line %d (File "%s"):, xrefs: 000C992D
%s (%d) : ==> %s.: %s %s, xrefs: 000C98F1
Error: , xrefs: 000C9955

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 4eaf1d5d055f395780b834af82dfefc73f5e7730b8b2f92ba917003d7d86f8ca
Instruction ID: a7920d79a49a727380e7d4df7d46f3012ed4da97a4eb4d6983303e6bc1473153
Opcode Fuzzy Hash: 4eaf1d5d055f395780b834af82dfefc73f5e7730b8b2f92ba917003d7d86f8ca
Instruction Fuzzy Hash: 9C217E3180025EABDF11AF90CC0AEFE777AFF18700F044469F519660A2EB359A28DB50

Function 000C209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000C20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 000C20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000C214D

Strings

list, xrefs: 000C212F
largeicons, xrefs: 000C20E1
details, xrefs: 000C20FB
smallicons, xrefs: 000C2115
SHELLDLL_DefView, xrefs: 000C20CC

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 611fe14b9cde8d70aee4a339e5ca3512fbaa502835a84b2e032aaf86ca8c0888
Instruction ID: 9a558171fded584989d3df3bf4f6e89642619c4c96bea5a2cd3e360b43f88851
Opcode Fuzzy Hash: 611fe14b9cde8d70aee4a339e5ca3512fbaa502835a84b2e032aaf86ca8c0888
Instruction Fuzzy Hash: 6B11E376688717B9FA153720AC07EEE379DDB25324B20002AFF04A94E2EAB568115A14

Function 00098D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92cc6c24e8e2ebb1e4967c8200ffcb28c5765fb2d98bbfd47463ad3bb69e4454
Instruction ID: fffd72a36da3ef3754a8c7603a0989029613889a4479d15fba5cce04ba16a5f2
Opcode Fuzzy Hash: 92cc6c24e8e2ebb1e4967c8200ffcb28c5765fb2d98bbfd47463ad3bb69e4454
Instruction Fuzzy Hash: 99C1D074904249AFDF21EFACC855BEDBBF4BF4A310F044099E468A7392D7309941EB61

Function 0009CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0009CEB7
_free.LIBCMT ref: 0009CF22
_free.LIBCMT ref: 0009CF48
_free.LIBCMT ref: 0009CF71
_free.LIBCMT ref: 0009CFA9
_free.LIBCMT ref: 0009CFDA
_free.LIBCMT ref: 0009D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0009D09C
_free.LIBCMT ref: 0009D0B5

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 4edde51d6c4a2bc627382bed3292d0443facd329f542dc5f95793da57957bade
Instruction ID: f6966bb917b27f0ef6cdf494cd71f0a3b75f5471c102680e00f8f0ec2b274bb7
Opcode Fuzzy Hash: 4edde51d6c4a2bc627382bed3292d0443facd329f542dc5f95793da57957bade
Instruction Fuzzy Hash: 64612771D04305AFEF22AFB498A1EAE7BE5EF05350F04417EF94597282D7319E41A790

Function 000F50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 000F5186
ShowWindow.USER32(?,00000000), ref: 000F51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 000F51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 000F51D1

Part of subcall function 000F6FBA: DeleteObject.GDI32(00000000), ref: 000F6FE6

GetWindowLongW.USER32(?,000000F0), ref: 000F520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000F521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000F524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 000F5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 000F5296

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: bf95b114f3e301f4c7e10d4dda69e051b70c165c8fb1ad695ed97dd89d9f6314
Instruction ID: d63fcd1eead2bb6ec94486abae67cfa48236bf0500dc34223573bb7e75c46e53
Opcode Fuzzy Hash: bf95b114f3e301f4c7e10d4dda69e051b70c165c8fb1ad695ed97dd89d9f6314
Instruction Fuzzy Hash: 21516F30A44A0CBEEF749F24CC46BF93BA5BB46322F148211F71596AE1D775A980FB41

Function 00078B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 000B6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 000B68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000B68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 000B68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000B68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00078874,00000000,00000000,00000000,000000FF,00000000), ref: 000B6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000B691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00078874,00000000,00000000,00000000,000000FF,00000000), ref: 000B692D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: edff9fb1b806dcbd48aae1c384061ab0365b18b08597674f6b7310b6c3d43ee2
Instruction ID: b165e86b027da736bcbdbd4e34f434e533cfa79f54e1bf5c77fa3d1824f69288
Opcode Fuzzy Hash: edff9fb1b806dcbd48aae1c384061ab0365b18b08597674f6b7310b6c3d43ee2
Instruction Fuzzy Hash: A7519E70A00209EFEB20CF25CC56FAA77F5FB58750F108528F90A976A0DB79E990DB54

Function 000DC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000DC182
GetLastError.KERNEL32 ref: 000DC195
SetEvent.KERNEL32(?), ref: 000DC1A9

Part of subcall function 000DC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000DC272
Part of subcall function 000DC253: GetLastError.KERNEL32 ref: 000DC322
Part of subcall function 000DC253: SetEvent.KERNEL32(?), ref: 000DC336
Part of subcall function 000DC253: InternetCloseHandle.WININET(00000000), ref: 000DC341

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 81893a8725a321198f0a10e8052dc7b8e6023ddb2e854670b79a599d01e4ae6b
Instruction ID: d0afd9c99ed5c1ee167c6170de5f9ff9652030718fe65aec899ba5938f694f43
Opcode Fuzzy Hash: 81893a8725a321198f0a10e8052dc7b8e6023ddb2e854670b79a599d01e4ae6b
Instruction Fuzzy Hash: 7D318771200746AFFB219FA59D44EBABBE8FF58300B10442EF95682B10C734E814EBB0

Function 000C25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000C3A57
Part of subcall function 000C3A3D: GetCurrentThreadId.KERNEL32 ref: 000C3A5E
Part of subcall function 000C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000C25B3), ref: 000C3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 000C25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000C25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 000C25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 000C25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 000C2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 000C2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 000C260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 000C2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 000C2627

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 02bb191f170a84eb2b6f4e2daf3906520f79ec36da68dd70e9933b25e1461949
Instruction ID: 128f0a8a8c1117ee11d026120ea2d5a447f9bd89c6e3ff81abb3132a3ba911fa
Opcode Fuzzy Hash: 02bb191f170a84eb2b6f4e2daf3906520f79ec36da68dd70e9933b25e1461949
Instruction Fuzzy Hash: 9D01D430394614BBFB2067689C8BFAD3F59EF4EB12F100005F318AE0E1C9F26454DA6A

Function 000C1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,000C1449,?,?,00000000), ref: 000C180C
HeapAlloc.KERNEL32(00000000,?,000C1449,?,?,00000000), ref: 000C1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000C1449,?,?,00000000), ref: 000C1828
GetCurrentProcess.KERNEL32(?,00000000,?,000C1449,?,?,00000000), ref: 000C1830
DuplicateHandle.KERNEL32(00000000,?,000C1449,?,?,00000000), ref: 000C1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000C1449,?,?,00000000), ref: 000C1843
GetCurrentProcess.KERNEL32(000C1449,00000000,?,000C1449,?,?,00000000), ref: 000C184B
DuplicateHandle.KERNEL32(00000000,?,000C1449,?,?,00000000), ref: 000C184E
CreateThread.KERNEL32(00000000,00000000,000C1874,00000000,00000000,00000000), ref: 000C1868

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 1e6a0e7e95339cf56a3c99f0e307e0928c99cd03da2a062ada0d83c4c0e28368
Instruction ID: 76c1bc2ba56e79069575a6b4e8aa348a934c7b0d6613fa237c0c9edb1368051b
Opcode Fuzzy Hash: 1e6a0e7e95339cf56a3c99f0e307e0928c99cd03da2a062ada0d83c4c0e28368
Instruction Fuzzy Hash: 9301BF75240308BFF710AB65DD4EF6B3B6CFB8AB11F004411FA05DB591CA749814DB60

Function 000EA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 000CD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 000CD501
Part of subcall function 000CD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 000CD50F
Part of subcall function 000CD4DC: CloseHandle.KERNELBASE(00000000), ref: 000CD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 000EA16D
GetLastError.KERNEL32 ref: 000EA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 000EA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 000EA268
GetLastError.KERNEL32(00000000), ref: 000EA273
CloseHandle.KERNEL32(00000000), ref: 000EA2C4

Strings

SeDebugPrivilege, xrefs: 000EA18F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1d9870f59ce96b2b860a94eaddee5c8394a8f4902e43a4b43a058b54558b54d0
Instruction ID: 326c41b075802b17bbb71217ce41a463ce3c509777426151852bcc2d42697e65
Opcode Fuzzy Hash: 1d9870f59ce96b2b860a94eaddee5c8394a8f4902e43a4b43a058b54558b54d0
Instruction Fuzzy Hash: 5961B3302042819FE720DF19C494F69BBE1AF49318F14849CE5669BBA3C776FD45CB92

Function 000F3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 000F3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 000F393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 000F3954
_wcslen.LIBCMT ref: 000F3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 000F39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 000F39F4

Strings

SysListView32, xrefs: 000F38F7

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 60a15a3ad3425bf3a7dbd7fca1a1a3c8cedac37b843acd64cd01b2a851b06b87
Instruction ID: 6d5f540cc8c78d114ee5dde2bf4089d2cf5035820b470eae4ea0c38afbc78d38
Opcode Fuzzy Hash: 60a15a3ad3425bf3a7dbd7fca1a1a3c8cedac37b843acd64cd01b2a851b06b87
Instruction Fuzzy Hash: 22419171A0431DABEB219F64CC45FFA77A9EF08360F100526FA58E7681D7B59980DB90

Function 000CBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000CBCFD
IsMenu.USER32(00000000), ref: 000CBD1D
CreatePopupMenu.USER32 ref: 000CBD53
GetMenuItemCount.USER32(00C36BA8), ref: 000CBDA4
InsertMenuItemW.USER32(00C36BA8,?,00000001,00000030), ref: 000CBDCC

Strings

2, xrefs: 000CBD37
0, xrefs: 000CBCA8

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 3526c8a78bdb911d8af74a28913069108a463fe8ebd78911d19d2b37648540b4
Instruction ID: 09e73ad90dc644931f8b150bdd97323a3cc1c305e5034beeac02f1ff51382eef
Opcode Fuzzy Hash: 3526c8a78bdb911d8af74a28913069108a463fe8ebd78911d19d2b37648540b4
Instruction Fuzzy Hash: D551AD70A002099BEB20DFA8D986FAEBBF8BF45314F14415DE403AB291E7709945CB61

Function 000CC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 000CC913

Strings

warning, xrefs: 000CC8FC
info, xrefs: 000CC8B4
question, xrefs: 000CC8CC
stop, xrefs: 000CC8E4
blank, xrefs: 000CC895

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f453c1d8da6e451a5bb42858eb4ac87eea8637758698575042731881b462b398
Instruction ID: e9075b018c98722f342678c93caebb63c076c6217e7bf0088334cd6f8dd873dd
Opcode Fuzzy Hash: f453c1d8da6e451a5bb42858eb4ac87eea8637758698575042731881b462b398
Instruction Fuzzy Hash: DF11D831689317BAF715AB54EC83EAE77ECDF15354B10002EF508A61C2E7B49D005365

Function 000CDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000CDE42
gethostname.WSOCK32(?,00000100), ref: 000CDE5C
gethostbyname.WSOCK32(?), ref: 000CDE69
inet_ntoa.WSOCK32(?), ref: 000CDEAB
_strcat.LIBCMT ref: 000CDEB9
WSACleanup.WSOCK32 ref: 000CDEDE

Strings

0.0.0.0, xrefs: 000CDE87

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: d6f67392968f08c75c0e9207459d69beb11f5d88e2104455b313fb94452b7e64
Instruction ID: ece1bb6fd445cc75eb34ca900adf210df9cc2d1a0cb3a5028020a584bd347ff3
Opcode Fuzzy Hash: d6f67392968f08c75c0e9207459d69beb11f5d88e2104455b313fb94452b7e64
Instruction Fuzzy Hash: 40110A31904219ABEB307B60DC0AEEF77ACEF15710F01017EF54596092EF748A81DB50

Function 000BD3A2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 000BD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000BD3BF
FreeLibrary.KERNEL32(00000000), ref: 000BD3E5
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 000BD3FC

Strings

GetSystemWow64DirectoryW, xrefs: 000BD3B9
X64, xrefs: 000BD2A8
kernel32.dll, xrefs: 000BD3A8

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: GetSystemWow64DirectoryW$X64$kernel32.dll
API String ID: 582185067-2904798639
Opcode ID: 30caa3151f93f63e5f1eb40bff59d70236e7117ac6da25d1913328f2798b59e2
Instruction ID: bc0a877df13bdc34b7eba30e4ee42ba0ad8b35e55db3f3aad868adec327a3932
Opcode Fuzzy Hash: 30caa3151f93f63e5f1eb40bff59d70236e7117ac6da25d1913328f2798b59e2
Instruction Fuzzy Hash: 37F0E23090626A9BE7B197108C6AEFDB3B4BF11B01F448056F506F6485EB38CE04EA91

Function 000F9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

GetSystemMetrics.USER32(0000000F), ref: 000F9FC7
GetSystemMetrics.USER32(0000000F), ref: 000F9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 000FA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 000FA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 000FA263
ShowWindow.USER32(00000003,00000000), ref: 000FA282
InvalidateRect.USER32(?,00000000,00000001), ref: 000FA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 000FA2CA

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 6a4be169bd9d10f14c8fa501d7ae9a15386b03cc04bd4c9f1dbe9b1e79d049d5
Instruction ID: d793930fe61f6308add3d0465e14e540deab9a1df64f10bbdb3f1eed4ce711f5
Opcode Fuzzy Hash: 6a4be169bd9d10f14c8fa501d7ae9a15386b03cc04bd4c9f1dbe9b1e79d049d5
Instruction Fuzzy Hash: FDB1DA70600219EFDF54CF68C985BBE3BF2BF45700F098069EE489BA85D735A940EB61

Function 000CED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 000CED2A
_wcslen.LIBCMT ref: 000CED3B
_wcslen.LIBCMT ref: 000CED79
_wcslen.LIBCMT ref: 000CEDAF
_wcslen.LIBCMT ref: 000CEDDF
_wcslen.LIBCMT ref: 000CEDEF
_wcslen.LIBCMT ref: 000CEE2B
_wcslen.LIBCMT ref: 000CEE5A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: e6371d1536a0d33f5cafa55a46e8796a52c5eca4068aae29a77ab67bea31efed
Instruction ID: 00b23b219f6b92b5c790a3965da5f739f7943b5287b0a525c2b135ca3dc2fbe6
Opcode Fuzzy Hash: e6371d1536a0d33f5cafa55a46e8796a52c5eca4068aae29a77ab67bea31efed
Instruction Fuzzy Hash: 0241AE65C1021876CB21FBB4C88AACFB7A8BF45310F518567E558E3163FB34E245C3A6

Function 0007F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000B682C,00000004,00000000,00000000), ref: 0007F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,000B682C,00000004,00000000,00000000), ref: 000BF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000B682C,00000004,00000000,00000000), ref: 000BF454

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8beb0ec998f0f324a9e4c6f781aadc856fa896f9345cb3249221d17cb1befd35
Instruction ID: b67242572c9e913c7055813a985d78ca34acbce10d0ef9b618141bcab77c97cb
Opcode Fuzzy Hash: 8beb0ec998f0f324a9e4c6f781aadc856fa896f9345cb3249221d17cb1befd35
Instruction Fuzzy Hash: 4C413B31A08782BAD7749B2DCD88BBA7BD1AB46314F14C03CE24F97961D73DA880DB15

Function 000F2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000F2D1B
GetDC.USER32(00000000), ref: 000F2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000F2D2E
ReleaseDC.USER32(00000000,00000000), ref: 000F2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 000F2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000F2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000F5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 000F2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000F2DE1

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b48e38698d4c889d3db7d90ce746633e8824a06cc99f31d2cf72deed20215822
Instruction ID: bb9c701ff679e24327cf50dffe508709624f66b0a8d9c894201849ec1a5caa97
Opcode Fuzzy Hash: b48e38698d4c889d3db7d90ce746633e8824a06cc99f31d2cf72deed20215822
Instruction Fuzzy Hash: 1F318972201618BBFB218F50CC8AFFB3BA9EF09711F044055FE08DA691C6799C51DBA0

Function 000C5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 000C5637
_memcmp.LIBVCRUNTIME ref: 000C5659
_memcmp.LIBVCRUNTIME ref: 000C5671
_memcmp.LIBVCRUNTIME ref: 000C5684
_memcmp.LIBVCRUNTIME ref: 000C569E
_memcmp.LIBVCRUNTIME ref: 000C56B1
_memcmp.LIBVCRUNTIME ref: 000C56C9
_memcmp.LIBVCRUNTIME ref: 000C56E4

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6af4736030a158defcaa53f32d1fe17e9cf703f2979664c4a99ccab5bb434f6a
Instruction ID: f73cc7be015d95434fa8950ce827164efe902ab3ecec7ff6d2c4df9cc6b5b6b0
Opcode Fuzzy Hash: 6af4736030a158defcaa53f32d1fe17e9cf703f2979664c4a99ccab5bb434f6a
Instruction Fuzzy Hash: 6921C87564091977961467109E82FFE279CAF51386B440028FE045B982F760FE9192E9

Function 000E4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 000E5007
NULL Pointer assignment, xrefs: 000E502E, 000E5383

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 0ecbb6b56dad1101f69cedb29957a7d5430e856be3557c14ea5af76b59279e71
Instruction ID: 54933f895f0ec7daab6c3eae8e251f3f827a479321c9064d4b07c409e54baab2
Opcode Fuzzy Hash: 0ecbb6b56dad1101f69cedb29957a7d5430e856be3557c14ea5af76b59279e71
Instruction Fuzzy Hash: 6BD1B071A0064A9FDF14CFA9CC81BAEB7F5BF48348F148869E915AB281E770DD41CB90

Function 000A1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,000A17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 000A15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000A1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,000A17FB,?,000A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000A16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000A16FB

Part of subcall function 00093820: RtlAllocateHeap.NTDLL(00000000,?,00131444,?,0007FDF5,?,?,0006A976,00000010,00131440,000613FC,?,000613C6,?,00061129), ref: 00093852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,000A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000A1777
__freea.LIBCMT ref: 000A17A2
__freea.LIBCMT ref: 000A17AE

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f3decf5d0ddeac115bc80596d3ea9901ddb5d9ad15c87a00158f4a515ae5100f
Instruction ID: b32e8208960b75c82d9b759bbe7982b6fe8a4f487db6e54045fa4d17aae75ec2
Opcode Fuzzy Hash: f3decf5d0ddeac115bc80596d3ea9901ddb5d9ad15c87a00158f4a515ae5100f
Instruction Fuzzy Hash: B191D471E046169ADF249EF4CC81EEE7BF5AF4A350F184669E812E7181EB35DD40CBA0

Function 000E4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000E4648
VariantInit.OLEAUT32(?), ref: 000E4749
VariantClear.OLEAUT32(?), ref: 000E4753
VariantClear.OLEAUT32(?), ref: 000E47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 000E472C
Null Object assignment in FOR..IN loop, xrefs: 000E45D8, 000E4706, 000E47BE

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: ad2870ae27a61f3ad4977521788f3cd8a588915508d6aa584b1a0d93e55a3ed4
Instruction ID: cb8676c66d283ab4557208ac1fda00c06a81965c10dbc5ad5460e058ff4b186a
Opcode Fuzzy Hash: ad2870ae27a61f3ad4977521788f3cd8a588915508d6aa584b1a0d93e55a3ed4
Instruction Fuzzy Hash: 88919171A04259AFDF20CFA6D884FAEBBB8EF86710F108559F545BB281D7709941CFA0

Function 000D1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 000D125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 000D1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 000D12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000D12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000D135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000D13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000D1430

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 0f3b10f21782cbbc4fe2ab4bf43d5ec72face00807f07b3fb39e146ea6bb17fb
Instruction ID: 3b00364bc861af0cce5fd3ca0d87d86b17b16d35efa633dbfb7a7342dfad6a25
Opcode Fuzzy Hash: 0f3b10f21782cbbc4fe2ab4bf43d5ec72face00807f07b3fb39e146ea6bb17fb
Instruction Fuzzy Hash: 0391BF75A00309AFEB109F98C885BFE77B5FF45315F14402AE940E7392DB79A941CBA0

Function 0007948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 053fd052c4c73b2ae9dbb2fade18b0c8910e4bff198070400431f232e83fddf2
Instruction ID: f26430baad7efe5f8c47ed458cce450babcca2afe669ea27467eac55d9a28e26
Opcode Fuzzy Hash: 053fd052c4c73b2ae9dbb2fade18b0c8910e4bff198070400431f232e83fddf2
Instruction Fuzzy Hash: FF913A71D00219EFCB50CFA9CC84AEEBBB8FF89320F148555E519B7251D778AA42CB64

Function 000E3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000E396B
CharUpperBuffW.USER32(?,?), ref: 000E3A7A
_wcslen.LIBCMT ref: 000E3A8A
VariantClear.OLEAUT32(?), ref: 000E3C1F

Part of subcall function 000D0CDF: VariantInit.OLEAUT32(00000000), ref: 000D0D1F
Part of subcall function 000D0CDF: VariantCopy.OLEAUT32(?,?), ref: 000D0D28
Part of subcall function 000D0CDF: VariantClear.OLEAUT32(?), ref: 000D0D34

Strings

Incorrect Parameter format, xrefs: 000E39A6, 000E3BA1
AUTOIT.ERROR, xrefs: 000E3A80, 000E3A85

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 6d3d29e52e9f96d7c52aacc4fb3f9eb280ad6b147493ba985c69c03abfcce5e0
Instruction ID: f7d1c5acd85a86b57cd5dc7687feee0b6002de5240a18f55b552440d454257ea
Opcode Fuzzy Hash: 6d3d29e52e9f96d7c52aacc4fb3f9eb280ad6b147493ba985c69c03abfcce5e0
Instruction Fuzzy Hash: 959199746083419FC710DF25C48596ABBE5FF89314F14886EF88AAB352DB30EE45CB82

Function 000E4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 000C000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?,?,000C035E), ref: 000C002B
Part of subcall function 000C000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?), ref: 000C0046
Part of subcall function 000C000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?), ref: 000C0054
Part of subcall function 000C000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?), ref: 000C0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 000E4C51
_wcslen.LIBCMT ref: 000E4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 000E4DCF
CoTaskMemFree.OLE32(?), ref: 000E4DDA

Strings

NULL Pointer assignment, xrefs: 000E4E23, 000E4E52

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 63db3e3af52cf3e98a5c399f709661a645066cb5b23f7d3c36c7208b0222931a
Instruction ID: 2656ed5b1807cf1cedf63579eb9f8ff72bdb815acfa0323be7c5c034293e0ef8
Opcode Fuzzy Hash: 63db3e3af52cf3e98a5c399f709661a645066cb5b23f7d3c36c7208b0222931a
Instruction Fuzzy Hash: F0911471D0025DAFDF14DFA5C891AEEB7B9BF08310F10816AE915B7292EB709A44CF60

Function 000F20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 000F2183
GetMenuItemCount.USER32(00000000), ref: 000F21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 000F21DD
_wcslen.LIBCMT ref: 000F2213
GetMenuItemID.USER32(?,?), ref: 000F224D
GetSubMenu.USER32(?,?), ref: 000F225B

Part of subcall function 000C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000C3A57
Part of subcall function 000C3A3D: GetCurrentThreadId.KERNEL32 ref: 000C3A5E
Part of subcall function 000C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000C25B3), ref: 000C3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000F22E3

Part of subcall function 000CE97B: Sleep.KERNEL32 ref: 000CE9F3

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: dbd63112e4bb888e2ee2d378c168accc98f92a0664030a68f393520f18bed3e8
Instruction ID: 617d9e8ae037ca6870b69dd9cc96c3e13b9ec5d61cd1e4f088f3b207425c67be
Opcode Fuzzy Hash: dbd63112e4bb888e2ee2d378c168accc98f92a0664030a68f393520f18bed3e8
Instruction Fuzzy Hash: 65717D75A00209AFDB50DFA4C841ABEB7F1FF88310F148469E956EB752DB34AE41DB90

Function 000CAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 000CAEF9
GetKeyboardState.USER32(?), ref: 000CAF0E
SetKeyboardState.USER32(?), ref: 000CAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 000CAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 000CAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 000CAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 000CB020

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: adb2246e7acb0ba6ef7f3e8ec1f2b2dad9122eebf3c292130ca8bacbe7215fbd
Instruction ID: 9895525f88a06afe6bf614189fec8a9bb781e9b1a5bfb960e7a57a07a8c5d7a5
Opcode Fuzzy Hash: adb2246e7acb0ba6ef7f3e8ec1f2b2dad9122eebf3c292130ca8bacbe7215fbd
Instruction Fuzzy Hash: 2251C1A0A047D93DFB3643748C46FBE7EE95B06308F08848DE1D9858D3C3A8AC85D752

Function 000CACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 000CAD19
GetKeyboardState.USER32(?), ref: 000CAD2E
SetKeyboardState.USER32(?), ref: 000CAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000CADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000CADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000CAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000CAE38

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 79a715b89744106ca88965184ef3cf1cf3391222588b96004acf044648a2f9e9
Instruction ID: 56f398dd58d7ff33b6661d12c866fa701a37b839764596a28a72324de0c2dcda
Opcode Fuzzy Hash: 79a715b89744106ca88965184ef3cf1cf3391222588b96004acf044648a2f9e9
Instruction Fuzzy Hash: 3751A3A16447D93DFB3683248C55FBE7EE95B46308F08858DE1D6868C3D294AC84E7A2

Function 0009542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(000A3CD6,?,?,?,?,?,?,?,?,00095BA3,?,?,000A3CD6,?,?), ref: 00095470
__fassign.LIBCMT ref: 000954EB
__fassign.LIBCMT ref: 00095506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,000A3CD6,00000005,00000000,00000000), ref: 0009552C
WriteFile.KERNEL32(?,000A3CD6,00000000,00095BA3,00000000,?,?,?,?,?,?,?,?,?,00095BA3,?), ref: 0009554B
WriteFile.KERNEL32(?,?,00000001,00095BA3,00000000,?,?,?,?,?,?,?,?,?,00095BA3,?), ref: 00095584

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 37870b584d1e337984b1ba7cbe0f240d325e5bec892f33d38c17f11e3d3a4f3d
Instruction ID: 28d51ca54d3a8f9c0304d4d33d32fe8ec679cacdfc2adfa327cc2699fde2b424
Opcode Fuzzy Hash: 37870b584d1e337984b1ba7cbe0f240d325e5bec892f33d38c17f11e3d3a4f3d
Instruction Fuzzy Hash: 9B51C170A007099FDF11CFA8DC55AEEBBF9EF09301F15411AF995E7292D6309A41DB60

Function 00082D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00082D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00082D53
_ValidateLocalCookies.LIBCMT ref: 00082DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00082E0C
_ValidateLocalCookies.LIBCMT ref: 00082E61

Strings

csm, xrefs: 00082DF6

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 161ab8bd3e6f3ff910c5aa4e5963b324900e3eb18bbf3c6022a4954795439139
Instruction ID: 07344dc15064cc3b6a2385d368c0ed5bab03c38aa5a0d56b7d5ab96520a7adb4
Opcode Fuzzy Hash: 161ab8bd3e6f3ff910c5aa4e5963b324900e3eb18bbf3c6022a4954795439139
Instruction Fuzzy Hash: 61418034A00319ABCF10EF68C845AEEBFF5BF84324F148155E9956B392DB71AA15CBD0

Function 000E10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000E304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000E307A
Part of subcall function 000E304E: _wcslen.LIBCMT ref: 000E309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000E1112
WSAGetLastError.WSOCK32 ref: 000E1121
WSAGetLastError.WSOCK32 ref: 000E11C9
closesocket.WSOCK32(00000000), ref: 000E11F9

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 8bfa4c59a3b8f0c96e154190c69190e3b452978a00b8913a8a562c545d3c22a2
Instruction ID: ef5e8a9964eee13331b0a20f92c89cc25502731311104f06c04c674640ed1225
Opcode Fuzzy Hash: 8bfa4c59a3b8f0c96e154190c69190e3b452978a00b8913a8a562c545d3c22a2
Instruction Fuzzy Hash: 8741F631600248AFEB109F55C845FEDBBE9EF45364F148099FD15AB292C774AD41CBE0

Function 000CCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000CCF22,?), ref: 000CDDFD

Part of subcall function 000CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000CCF22,?), ref: 000CDE16

lstrcmpiW.KERNEL32(?,?), ref: 000CCF45
MoveFileW.KERNEL32(?,?), ref: 000CCF7F
_wcslen.LIBCMT ref: 000CD005
_wcslen.LIBCMT ref: 000CD01B
SHFileOperationW.SHELL32(?), ref: 000CD061

Strings

\*.*, xrefs: 000CCFF3

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 030ef2e756bbf8fc04456df32c501be3a079d006349a1a581c1913eba05272c0
Instruction ID: 09abc57f0c499b5395d5affad0aab9c9465891b87654bbf4f730310ac4236f46
Opcode Fuzzy Hash: 030ef2e756bbf8fc04456df32c501be3a079d006349a1a581c1913eba05272c0
Instruction Fuzzy Hash: 394155719052185FEF52EBA4C981FDDB7F9AF18380F1000FEE549EB142EA34A645DB50

Function 000F2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 000F2E1C
GetWindowLongW.USER32(?,000000F0), ref: 000F2E4F
GetWindowLongW.USER32(?,000000F0), ref: 000F2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 000F2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 000F2EE0
GetWindowLongW.USER32(?,000000F0), ref: 000F2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000F2F0B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8cc2eca06d7cc02a65baf8163ab7b97578198c46b4c934750e030d2524af7340
Instruction ID: ce13a7e6454489676bbb6fd1fbc0848cf7975661958a72664221dca6e8700015
Opcode Fuzzy Hash: 8cc2eca06d7cc02a65baf8163ab7b97578198c46b4c934750e030d2524af7340
Instruction Fuzzy Hash: 5731F230644258EFEB21CF58DD85FA537E5EB9A714F250164FA00CFAB2CB71A884EB41

Function 000C7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C778F
SysAllocString.OLEAUT32(00000000), ref: 000C7792
SysAllocString.OLEAUT32(?), ref: 000C77B0
SysFreeString.OLEAUT32(?), ref: 000C77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 000C77DE
SysAllocString.OLEAUT32(?), ref: 000C77EC

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 84f5fcda883657b4ea707627c5686a83ac5dfecc43672094a16b48ffe8db55d8
Instruction ID: 029338824832ec507194fa1c5b0e52f9a8143e968b74568654060c202c57b755
Opcode Fuzzy Hash: 84f5fcda883657b4ea707627c5686a83ac5dfecc43672094a16b48ffe8db55d8
Instruction Fuzzy Hash: E2219F7660821DAFEB10DFA8CC89EBE73ECEB093647008129F918DB151D674AC45DB64

Function 000C77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C7868
SysAllocString.OLEAUT32(00000000), ref: 000C786B
SysAllocString.OLEAUT32 ref: 000C788C
SysFreeString.OLEAUT32 ref: 000C7895
StringFromGUID2.OLE32(?,?,00000028), ref: 000C78AF
SysAllocString.OLEAUT32(?), ref: 000C78BD

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1b9b802192a9f58112c75158d0795baecc7e4fc8ffb83fbbed371db2947cd7d8
Instruction ID: f9bc6802b59d89014c2ad53c53bf3383477c649c66134e3d5a1febf9b5702696
Opcode Fuzzy Hash: 1b9b802192a9f58112c75158d0795baecc7e4fc8ffb83fbbed371db2947cd7d8
Instruction Fuzzy Hash: BA214735604109AFEB109FA8DC89EBE77ECEB097607108129FA19CB1A1DA74DC45DB74

Function 000D04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 000D04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000D052E

Strings

nul, xrefs: 000D0567

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 6f7fa8e8d60ea8fe373491dbd1496c416c79500d9b35a3e695fe0b71dc47d532
Instruction ID: d91b7bf40e79d725218d6b12f4fe9f2478040270d9300d49344ff9b953a0e60c
Opcode Fuzzy Hash: 6f7fa8e8d60ea8fe373491dbd1496c416c79500d9b35a3e695fe0b71dc47d532
Instruction Fuzzy Hash: 57217E75900705EBEB208F29EC05BAA77E4AF44764F204A1AECA5D72E4D7709950DF30

Function 000D05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 000D05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000D0601

Strings

nul, xrefs: 000D0639

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: cbaa5f2447b46ddadb1b65d9e8a3b52eaad706c813b0826d3390ce50a99091ee
Instruction ID: 540e1a968e709220827f082d0bec9a5a433b0c708394faf17a24039230e61f9d
Opcode Fuzzy Hash: cbaa5f2447b46ddadb1b65d9e8a3b52eaad706c813b0826d3390ce50a99091ee
Instruction Fuzzy Hash: F5219F755003059BEB208F799C05FAA77E8AF85724F200A1AF8A5E33E0D770D960DB30

Function 000F40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0006600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0006604C
Part of subcall function 0006600E: GetStockObject.GDI32(00000011), ref: 00066060
Part of subcall function 0006600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0006606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 000F4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 000F411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 000F412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 000F4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 000F4145

Strings

Msctls_Progress32, xrefs: 000F40E3

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 586d78df47b0f862d1b562b40a07de3b8b943fddc58d1153b8845ada9d193131
Instruction ID: 2f8a98fd32757064f8e721a42a3786a631870df048f57943459d26f82cd7f4e1
Opcode Fuzzy Hash: 586d78df47b0f862d1b562b40a07de3b8b943fddc58d1153b8845ada9d193131
Instruction Fuzzy Hash: 79115EB215021DBEEB219E64CC86EE77F9DEF08798F014111BB18A6190CB769C61DBA4

Function 0009D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0009D7A3: _free.LIBCMT ref: 0009D7CC

_free.LIBCMT ref: 0009D82D

Part of subcall function 000929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000), ref: 000929DE
Part of subcall function 000929C8: GetLastError.KERNEL32(00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000,00000000), ref: 000929F0

_free.LIBCMT ref: 0009D838
_free.LIBCMT ref: 0009D843
_free.LIBCMT ref: 0009D897
_free.LIBCMT ref: 0009D8A2
_free.LIBCMT ref: 0009D8AD
_free.LIBCMT ref: 0009D8B8

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 6414fa889f79b1c35c057c22dc61fb2e7f1f718e586a86b7bb9d546d07d27c75
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: FA11DA71585B04BADE21FFF0CC47FCBBBDCAF05700F404826B29DA6593EA65B505A6A0

Function 000CDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 000CDA74
LoadStringW.USER32(00000000), ref: 000CDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000CDA91
LoadStringW.USER32(00000000), ref: 000CDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000CDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000CDAB9

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f7e45851d44b0cb55db124eee6c4c2b8c372b90f1fcde060df01d2d701e44c05
Instruction ID: 5110c3f0c7f217553cfd3d134c203e6d947d80a14219e6c97d33e740e3f7c3a9
Opcode Fuzzy Hash: f7e45851d44b0cb55db124eee6c4c2b8c372b90f1fcde060df01d2d701e44c05
Instruction Fuzzy Hash: D30162F250420C7FF710ABA09E8AEFB736CE708701F4004A6B746E2441E6789E849F75

Function 000D096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00C30088,00C30088), ref: 000D097B
EnterCriticalSection.KERNEL32(00C30068,00000000), ref: 000D098D
TerminateThread.KERNEL32(?,000001F6), ref: 000D099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 000D09A9
CloseHandle.KERNEL32(?), ref: 000D09B8
InterlockedExchange.KERNEL32(00C30088,000001F6), ref: 000D09C8
LeaveCriticalSection.KERNEL32(00C30068), ref: 000D09CF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 09d390f78b899b98fb64b022d90668c628d762fb92bc4d2a7a55dd5024b50ea8
Instruction ID: a5c7e6e353acd9ef5046fb52d61c35ce8bb47edb6a5a6d02cbec314b9857b4dc
Opcode Fuzzy Hash: 09d390f78b899b98fb64b022d90668c628d762fb92bc4d2a7a55dd5024b50ea8
Instruction Fuzzy Hash: A2F01D31442606BBF7815B94EF8AFE6BA25FF01702F401016F10190CA0C7789465EFA0

Function 000E1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 000E1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000E1DE1
WSAGetLastError.WSOCK32 ref: 000E1DF2
htons.WSOCK32(?,?,?,?,?), ref: 000E1EDB
inet_ntoa.WSOCK32(?), ref: 000E1E8C

Part of subcall function 000C39E8: _strlen.LIBCMT ref: 000C39F2

Part of subcall function 000E3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,000DEC0C), ref: 000E3240

_strlen.LIBCMT ref: 000E1F35

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: dae35f66725a25170d7f4b43de2d7cb59f281eba9755bc47021954d9a777edbf
Instruction ID: 0e3db3d262b1b854fb9d4b90052081d806cf0e55ab1955cd96d7ffac0b1930d7
Opcode Fuzzy Hash: dae35f66725a25170d7f4b43de2d7cb59f281eba9755bc47021954d9a777edbf
Instruction Fuzzy Hash: 25B1D070604380AFD324DF25C885FAA7BE5AF84318F54855CF45AAB2A3DB31ED42CB91

Function 00065D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00065D30
GetWindowRect.USER32(?,?), ref: 00065D71
ScreenToClient.USER32(?,?), ref: 00065D99
GetClientRect.USER32(?,?), ref: 00065ED7
GetWindowRect.USER32(?,?), ref: 00065EF8

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: fb6d9889591d960475f6dea4acb56b805b359489ba096895fda417d49d9d10a2
Instruction ID: aa03f9982a65679006b1db6da2c25d474d1c1081c5d4d38c9cc8e0faf5bd0eba
Opcode Fuzzy Hash: fb6d9889591d960475f6dea4acb56b805b359489ba096895fda417d49d9d10a2
Instruction Fuzzy Hash: 65B17C38A0074ADBDB24CFA8C8407EEB7F2FF58311F14851AE8A9D7250DB74AA51DB50

Function 000901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 000900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000900D6
__allrem.LIBCMT ref: 000900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0009010B
__allrem.LIBCMT ref: 00090122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00090140

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: f394accbabf24b9944da4e7cc5d012b1c80cb0e1f290c7950c005efa3c165fb0
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: AC81F672A00706AFEB24AF78CC41BAFB3E9AF41764F24453AF551D7282E771D9009B90

Function 000961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000882D9,000882D9,?,?,?,0009644F,00000001,00000001,8BE85006), ref: 00096258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0009644F,00000001,00000001,8BE85006,?,?,?), ref: 000962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000963D8
__freea.LIBCMT ref: 000963E5

Part of subcall function 00093820: RtlAllocateHeap.NTDLL(00000000,?,00131444,?,0007FDF5,?,?,0006A976,00000010,00131440,000613FC,?,000613C6,?,00061129), ref: 00093852

__freea.LIBCMT ref: 000963EE
__freea.LIBCMT ref: 00096413

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4d98f21e3b4518016ddbc239201b7e5635df458e8aec46c9d1d36b95560001c8
Instruction ID: 3423d912e83134e9d0718f2ba0260681061b253f8ae9be46a5ec02af30c19b99
Opcode Fuzzy Hash: 4d98f21e3b4518016ddbc239201b7e5635df458e8aec46c9d1d36b95560001c8
Instruction Fuzzy Hash: AD51F372600216ABEF268F64CC81EBF77A9EF45750F158229FC05D7141EB36DD50E660

Function 000EBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EB6AE,?,?), ref: 000EC9B5
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000EC9F1
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA68
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000EBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000EBD25
RegCloseKey.ADVAPI32(00000000), ref: 000EBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000EBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 000EBDF3
RegCloseKey.ADVAPI32(?), ref: 000EBDFF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 900f5a0f7bd56962bea522ab04b7431e35ad507f6ec8b113d928f8ae780794e9
Instruction ID: 05bf31913281dd347cb04233db88b626abb0ed9ab3b5f9706ab581da9132d429
Opcode Fuzzy Hash: 900f5a0f7bd56962bea522ab04b7431e35ad507f6ec8b113d928f8ae780794e9
Instruction Fuzzy Hash: A4817C30208281AFD714DF24C895E6BBBE5FF84308F14896CF5599B2A2DB31ED45CB92

Function 000BF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 000BF7B9
SysAllocString.OLEAUT32(00000001), ref: 000BF860
VariantCopy.OLEAUT32(000BFA64,00000000), ref: 000BF889
VariantClear.OLEAUT32(000BFA64), ref: 000BF8AD
VariantCopy.OLEAUT32(000BFA64,00000000), ref: 000BF8B1
VariantClear.OLEAUT32(?), ref: 000BF8BB

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 98e387d1abcadfd05250a871b6300c3f420c9d4be0e9b5f11c2d07b3835d4714
Instruction ID: 26ef948697f712e8dfac22128f8817d9aa31d5f6217eb006fa532faea49a5dde
Opcode Fuzzy Hash: 98e387d1abcadfd05250a871b6300c3f420c9d4be0e9b5f11c2d07b3835d4714
Instruction Fuzzy Hash: 6B51C031600312BADF20AB65DC95BF9B3A9AF45710B209477E906DF292DB749C40CB96

Function 000D910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00067620: _wcslen.LIBCMT ref: 00067625

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 000D94E5
_wcslen.LIBCMT ref: 000D9506
_wcslen.LIBCMT ref: 000D952D
GetSaveFileNameW.COMDLG32(00000058), ref: 000D9585

Strings

X, xrefs: 000D9412

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 9a2c87c2305afaa6cd54224dcfa19b4c9da6d5a3ea8bb08c7cd74da9fb36026f
Instruction ID: e8e007e1ffc2fa2359674e427848f06be0e28eef523d6eb440e7a5c8aa3ffba8
Opcode Fuzzy Hash: 9a2c87c2305afaa6cd54224dcfa19b4c9da6d5a3ea8bb08c7cd74da9fb36026f
Instruction Fuzzy Hash: 71E19371508301DFD724EF24C881AAAB7E5BF85314F14856DF8899B3A2DB31DD45CBA1

Function 0007920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

BeginPaint.USER32(?,?,?), ref: 00079241
GetWindowRect.USER32(?,?), ref: 000792A5
ScreenToClient.USER32(?,?), ref: 000792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000792D3
EndPaint.USER32(?,?,?,?,?), ref: 00079321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000B71EA

Part of subcall function 00079339: BeginPath.GDI32(00000000), ref: 00079357

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 432f101dfd7bd03623d40c6a23cf2d0fb0a3ee78fdb91f97c9790bdcdef2683f
Instruction ID: 83df25c9b8c3e6785e119f67babe5dc28c9c247ed5c0a581beb2409dc9d1eb85
Opcode Fuzzy Hash: 432f101dfd7bd03623d40c6a23cf2d0fb0a3ee78fdb91f97c9790bdcdef2683f
Instruction Fuzzy Hash: 2E41C130508300AFE721DF28CC85FBA7BF8EF85324F144669F9A9872A2C7359945DB61

Function 000D07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 000D080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 000D0847
EnterCriticalSection.KERNEL32(?), ref: 000D0863
LeaveCriticalSection.KERNEL32(?), ref: 000D08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 000D08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 000D0921

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 01260aca49671dbb6a82e3e0c2a170f23cde385856f1434b0684f40cad0039e2
Instruction ID: 644daa96e2ae1156e3b7e7cd386ce81d966f4c1324d29e427c0930e5cde3f6e3
Opcode Fuzzy Hash: 01260aca49671dbb6a82e3e0c2a170f23cde385856f1434b0684f40cad0039e2
Instruction Fuzzy Hash: 7C416D71900209EFEF14EF54DC85AAAB7B8FF04310F1480A5ED049A297DB74DE65DBA4

Function 000F81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,000BF3AB,00000000,?,?,00000000,?,000B682C,00000004,00000000,00000000), ref: 000F824C
EnableWindow.USER32(?,00000000), ref: 000F8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 000F82D1
ShowWindow.USER32(?,00000004), ref: 000F82E5
EnableWindow.USER32(?,00000001), ref: 000F830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 000F832F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1ac1a441b360c103f47b7996852e082c243388796d08841d1e439c808137f68a
Instruction ID: aaa1fb4eb869bd0a95b87f5a00059860422ef29d712051fa7312e812e7f40409
Opcode Fuzzy Hash: 1ac1a441b360c103f47b7996852e082c243388796d08841d1e439c808137f68a
Instruction Fuzzy Hash: 3C419434601648EFEB91CF15C999FF87BE0BB0A714F189169E6084FA72CB31A845EF50

Function 000C4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 000C4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000C4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000C4CEA
_wcslen.LIBCMT ref: 000C4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000C4D10
_wcsstr.LIBVCRUNTIME ref: 000C4D1A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 3b7c73e7c20678663465f275303035d436bf52e4d6de105e9659161f533bdf2c
Instruction ID: 8798249cb85e544151b24bbb600d4d5a0de5ecebde840efd5f20ddddb15d8600
Opcode Fuzzy Hash: 3b7c73e7c20678663465f275303035d436bf52e4d6de105e9659161f533bdf2c
Instruction Fuzzy Hash: 6A21D7326042057BFB656B299D5AF7F7BE8EF45750F10802DF80ACA1A2EA75DC40D7A0

Function 000D581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00063AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00063A97,?,?,00062E7F,?,?,?,00000000), ref: 00063AC2

_wcslen.LIBCMT ref: 000D587B
CoInitialize.OLE32(00000000), ref: 000D5995
CoCreateInstance.OLE32(000FFCF8,00000000,00000001,000FFB68,?), ref: 000D59AE
CoUninitialize.OLE32 ref: 000D59CC

Strings

.lnk, xrefs: 000D5876, 000D58C1, 000D5985

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c2f4204565f4eeb5745055de115b2d0001caaf0436245f177e566eb91039f4df
Instruction ID: 2e3b06ec7b11d7863b47ba068ed42a2ff9ee8c885b2adf1450ed0f06f73c7867
Opcode Fuzzy Hash: c2f4204565f4eeb5745055de115b2d0001caaf0436245f177e566eb91039f4df
Instruction Fuzzy Hash: 43D156716047019FC714DF14C890A6ABBE6FF89725F14485EF88A9B362DB31EC45CBA2

Function 000C175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000C0FCA
Part of subcall function 000C0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000C0FD6
Part of subcall function 000C0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000C0FE5
Part of subcall function 000C0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000C0FEC
Part of subcall function 000C0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000C1002

GetLengthSid.ADVAPI32(?,00000000,000C1335), ref: 000C17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 000C17BA
HeapAlloc.KERNEL32(00000000), ref: 000C17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 000C17DA
GetProcessHeap.KERNEL32(00000000,00000000,000C1335), ref: 000C17EE
HeapFree.KERNEL32(00000000), ref: 000C17F5

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: baafbc376b06e924db1452a68d9a96336cfb5999dd4cceda98478b4b94d1a269
Instruction ID: b5ae38d6e6f4f8c3afd8ad64146be7cc724692621cac3808f5d08db043a1fae1
Opcode Fuzzy Hash: baafbc376b06e924db1452a68d9a96336cfb5999dd4cceda98478b4b94d1a269
Instruction Fuzzy Hash: 0C118931504209EFEB109BA4CD4AFEE7BB9EF42355F10425CE48197212C739A955DB60

Function 000C14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000C14FF
OpenProcessToken.ADVAPI32(00000000), ref: 000C1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000C1515
CloseHandle.KERNEL32(00000004), ref: 000C1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000C154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 000C1563

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 36fb1d73685fb36fe729cf2690b4e6929d94f91a4814168d1cfc621b1b4c919d
Instruction ID: 35feb0e49dd60c2fe14103654a248e94efa9fff27e8419ad8f93134c8f7d4145
Opcode Fuzzy Hash: 36fb1d73685fb36fe729cf2690b4e6929d94f91a4814168d1cfc621b1b4c919d
Instruction Fuzzy Hash: 3D11297250020DEBEF118F98DE4AFEE7BA9FF49744F044059FA05A2161C3758E65EB60

Function 00083382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00083379,00082FE5), ref: 00083390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0008339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000833B7
SetLastError.KERNEL32(00000000,?,00083379,00082FE5), ref: 00083409

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 989d726c519e927e2757a04a6b3fcef93f7048f570535068f33e5b04b1b9a8ec
Instruction ID: 14659d9c549c4f0a3d69735d67a0372a977f08ad3ccd181f7e32d23489a98f5e
Opcode Fuzzy Hash: 989d726c519e927e2757a04a6b3fcef93f7048f570535068f33e5b04b1b9a8ec
Instruction Fuzzy Hash: 1F012832608711BEA67437787C859AA2AD4FB85B793204229F650801F2EF114F2253C8

Function 00092D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00095686,000A3CD6,?,00000000,?,00095B6A,?,?,?,?,?,0008E6D1,?,00128A48), ref: 00092D78
_free.LIBCMT ref: 00092DAB
_free.LIBCMT ref: 00092DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0008E6D1,?,00128A48,00000010,00064F4A,?,?,00000000,000A3CD6), ref: 00092DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0008E6D1,?,00128A48,00000010,00064F4A,?,?,00000000,000A3CD6), ref: 00092DEC
_abort.LIBCMT ref: 00092DF2

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 103e486ba1f3cb557f6cdaa5559b86692f101b07dc055681a4fd06d0e909a7ec
Instruction ID: 4ba3b5aa5a3a47eb37738214dd3418c0fee39a00dbbb6c0685ffedb8d4463a00
Opcode Fuzzy Hash: 103e486ba1f3cb557f6cdaa5559b86692f101b07dc055681a4fd06d0e909a7ec
Instruction Fuzzy Hash: EDF0FC3550660077DF627734BC07EAF25D9AFC17E1F250419F824D65D3EF248942B1A0

Function 000F8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00079639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00079693
Part of subcall function 00079639: SelectObject.GDI32(?,00000000), ref: 000796A2
Part of subcall function 00079639: BeginPath.GDI32(?), ref: 000796B9
Part of subcall function 00079639: SelectObject.GDI32(?,00000000), ref: 000796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 000F8A4E
LineTo.GDI32(?,00000003,00000000), ref: 000F8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 000F8A70
LineTo.GDI32(?,00000000,00000003), ref: 000F8A80
EndPath.GDI32(?), ref: 000F8A90
StrokePath.GDI32(?), ref: 000F8AA0

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 32f85ff252690067cfb5555db3210fca3134f83ce64594a7ed9c7d274cab58f6
Instruction ID: 40f9a276e1362609edaa70d14620239f90ed94a3619c76d338882f6e80830710
Opcode Fuzzy Hash: 32f85ff252690067cfb5555db3210fca3134f83ce64594a7ed9c7d274cab58f6
Instruction Fuzzy Hash: BB110C7600010DFFEB119F90DC49EEA7F6CEB04364F008412BA1995561C7759D55EB60

Function 000C51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000C5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 000C5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000C5230
ReleaseDC.USER32(00000000,00000000), ref: 000C5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 000C524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 000C5261

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 1b1b9bbd48bdbe8416a8459d36945f7d97ae80b021173b963d677d7959d480e2
Instruction ID: 39ffaf18a10ac5ed0a5b6b71fe475cf4d9a809332e07abbc6f5530a2302bf90b
Opcode Fuzzy Hash: 1b1b9bbd48bdbe8416a8459d36945f7d97ae80b021173b963d677d7959d480e2
Instruction Fuzzy Hash: F5018F75A00709BBFB109BA59D4AF6EBFB8EF48351F044065FA04E7381DA709800DBA0

Function 00061BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00061BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00061BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00061C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00061C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00061C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00061C22

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 5e20c7401225125bb387f498752579b388b26052aa2e7b2eee37bfe065eb6c8f
Instruction ID: 8f104f5e084e9e6c9446c725c022e5cb24f940c6248c35799ca3f2dd013a1728
Opcode Fuzzy Hash: 5e20c7401225125bb387f498752579b388b26052aa2e7b2eee37bfe065eb6c8f
Instruction Fuzzy Hash: CD016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 000CEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000CEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000CEB46
GetWindowThreadProcessId.USER32(?,?), ref: 000CEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000CEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000CEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000CEB75

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 8f0ad48883e36883e2296161aa0c873d2d98df528e9fb7366094c78bcdebe534
Instruction ID: 805d33b71a28201fc01039b416b29b053231b2b5c2edd0e923140faeb666f58f
Opcode Fuzzy Hash: 8f0ad48883e36883e2296161aa0c873d2d98df528e9fb7366094c78bcdebe534
Instruction Fuzzy Hash: 44F01772240158BBF7215B629D0EEFF3A7CEFCAB15F000158FA01D14919BA85A01E6B5

Function 000B7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 000B7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 000B7469
GetWindowDC.USER32(?), ref: 000B7475
GetPixel.GDI32(00000000,?,?), ref: 000B7484
ReleaseDC.USER32(?,00000000), ref: 000B7496
GetSysColor.USER32(00000005), ref: 000B74B0

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 42043ce6a3ed032c7f7b3d0c5afc9bba878e6c8cd93ab035bcd0cfe1b5224cc2
Instruction ID: cd88bcd06e1452c6f6082a7b92aebef163a8752e0d61f870bd74d5d90b903370
Opcode Fuzzy Hash: 42043ce6a3ed032c7f7b3d0c5afc9bba878e6c8cd93ab035bcd0cfe1b5224cc2
Instruction Fuzzy Hash: 1E017831404609EFFB509F64DD0AFFA7BB5FB04322F240060F919A25A0CB351E91EB10

Function 000C1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000C187F
UnloadUserProfile.USERENV(?,?), ref: 000C188B
CloseHandle.KERNEL32(?), ref: 000C1894
CloseHandle.KERNEL32(?), ref: 000C189C
GetProcessHeap.KERNEL32(00000000,?), ref: 000C18A5
HeapFree.KERNEL32(00000000), ref: 000C18AC

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 91e238c5aae3221c766aa6828a0d82374ded7e08607c2d4b86a77ada523bf68e
Instruction ID: 48236e423f3644afa0f75e1ba183dcf8019c305e5cdeefec923cccf75082fffa
Opcode Fuzzy Hash: 91e238c5aae3221c766aa6828a0d82374ded7e08607c2d4b86a77ada523bf68e
Instruction Fuzzy Hash: FBE0C936004509BBF6015BA1EE0DD15BF29FF4A7217108220F22581870CB365430FB50

Function 000CC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00067620: _wcslen.LIBCMT ref: 00067625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000CC6EE
_wcslen.LIBCMT ref: 000CC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000CC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 000CC7CA

Strings

0, xrefs: 000CC6AF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: ac6954e3827f1188d09172cdca9af6ea7f2f1e00d41a370c823f58bd17c97e99
Instruction ID: 0cea572b29f1053a214ee64884fff4c0daecd50c8d99a7ec71e2631dad59dfb8
Opcode Fuzzy Hash: ac6954e3827f1188d09172cdca9af6ea7f2f1e00d41a370c823f58bd17c97e99
Instruction Fuzzy Hash: 3751BF716083019BE7A49F28C985FAFB7E4EF49314F040A2DF99AE31A1DB74D944CB52

Function 000EAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 000EAEA3

Part of subcall function 00067620: _wcslen.LIBCMT ref: 00067625

GetProcessId.KERNEL32(00000000), ref: 000EAF38
CloseHandle.KERNEL32(00000000), ref: 000EAF67

Strings

<, xrefs: 000EAE6B
@, xrefs: 000EAE72

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 985050977a23d1f1a29a3b728e0bd0a6a3942e6d8431c0456b806fa3efc942a7
Instruction ID: f043aee953360ee33d40700c19e29a3889b804bcb71eadc38530047e108ca80d
Opcode Fuzzy Hash: 985050977a23d1f1a29a3b728e0bd0a6a3942e6d8431c0456b806fa3efc942a7
Instruction Fuzzy Hash: 1B718C70A00659DFCB14EF95C484A9EBBF1FF09314F0484A9E85AAB392CB74ED45CB91

Function 000C719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000C7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000C723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000C724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000C72CF

Strings

DllGetClassObject, xrefs: 000C7242

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 0ffd9c62ddbd28933ebd18834b3123854daf5fdaea47f4639f453b4a5970701c
Instruction ID: d0c75e254ce1f0174211b0b712bcb176ff97bf0de2a9c4114c620ca519e64436
Opcode Fuzzy Hash: 0ffd9c62ddbd28933ebd18834b3123854daf5fdaea47f4639f453b4a5970701c
Instruction Fuzzy Hash: EE414A71A04204AFEB25CF54C885FAE7BA9EF45310F2480ADBD099F20AD7B5D945DFA0

Function 000F3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000F3E35
IsMenu.USER32(?), ref: 000F3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000F3E92
DrawMenuBar.USER32 ref: 000F3EA5

Strings

0, xrefs: 000F3D89

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: fca4fe8a3157041adf70c8d7dbfd186c6e0535f1e447f4325893ad4455f2c953
Instruction ID: 4f6b9a46b3b20184c2b1145f10de3a5aa3413cf93a78a60fc6ec1aa2114289ae
Opcode Fuzzy Hash: fca4fe8a3157041adf70c8d7dbfd186c6e0535f1e447f4325893ad4455f2c953
Instruction Fuzzy Hash: F1412575A0020DAFDF10DF50D884EEABBF9FF49364F044129EA05A7690D734AE45EB50

Function 000C1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000C3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000C1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000C1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 000C1EA9

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

Strings

ListBox, xrefs: 000C1E25
ComboBox, xrefs: 000C1DF0

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: e9cdffc9386babcc106b4dcc1d3374acd4ca9d6edbc3e4ccf9f17bcb4eedd696
Instruction ID: 27b5109c52cb920c480d67a82a855eb794eb8961bf68a9f99ef445d68308c2a9
Opcode Fuzzy Hash: e9cdffc9386babcc106b4dcc1d3374acd4ca9d6edbc3e4ccf9f17bcb4eedd696
Instruction Fuzzy Hash: C2210571A00108BEEB14AB64DD86DFFB7BADF46360B10811DF825E75E2DB78490AD620

Function 000F2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000F2F8D
LoadLibraryW.KERNEL32(?), ref: 000F2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000F2FA9
DestroyWindow.USER32(?), ref: 000F2FB1

Strings

SysAnimate32, xrefs: 000F2F68

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 58ef10116bf223dbeb0a52d2101e6dd765013b6be29a22f1b4ba40ada38e4c85
Instruction ID: 3e0fe5d82b4b4c36b5578cdc538e082a43fcd3d14d10a15dfc9335803ae69a0e
Opcode Fuzzy Hash: 58ef10116bf223dbeb0a52d2101e6dd765013b6be29a22f1b4ba40ada38e4c85
Instruction Fuzzy Hash: C521AC7122420DABEB108FA4DC81EBB37B9EB99364F104638FA50D29A0D771DC95A760

Function 00084D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00084D1E,000928E9,?,00084CBE,000928E9,001288B8,0000000C,00084E15,000928E9,00000002), ref: 00084D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00084DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00084D1E,000928E9,?,00084CBE,000928E9,001288B8,0000000C,00084E15,000928E9,00000002,00000000), ref: 00084DC3

Strings

CorExitProcess, xrefs: 00084D98
mscoree.dll, xrefs: 00084D86

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 934ad8e1686e3ca43349f9d75082fb7b3f1c594d17d57ae0b73ecdb26eb4a35f
Instruction ID: 9e47b5e58e6cd39f68945d8a5508d235994fdd060e563dd543c277f5649a8ce1
Opcode Fuzzy Hash: 934ad8e1686e3ca43349f9d75082fb7b3f1c594d17d57ae0b73ecdb26eb4a35f
Instruction Fuzzy Hash: 65F0AF34A0030DBBEB11AF90DC4AFADBBF5FF44751F0000A8F845A2AA0CB785A50DB91

Function 00064E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00064EDD,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00064EAE
FreeLibrary.KERNEL32(00000000,?,?,00064EDD,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00064EA8
kernel32.dll, xrefs: 00064E94

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 238782ac1c34c8a8c8a218a7992ec8aa0ee53789371d74e8edb5877e73267c94
Instruction ID: 2ee2fa6c6f67ff398b4067738c51d733cf9a35589232c7c998a98be0620a82c8
Opcode Fuzzy Hash: 238782ac1c34c8a8c8a218a7992ec8aa0ee53789371d74e8edb5877e73267c94
Instruction Fuzzy Hash: C2E0C236E026365BF2721B25BD2AF7F66A9BF82F62B050115FD04E2A00DB78CD11D4A0

Function 00064E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,000A3CDE,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00064E74
FreeLibrary.KERNEL32(00000000,?,?,000A3CDE,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00064E6E
kernel32.dll, xrefs: 00064E5B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 874b70635e39cc5fc9167de3935ee8f6cbbcb1df730fc18b35f5b77747460000
Instruction ID: 44ea5f4be64e7718d8f499c35dc0ee60c6a94f2dc735f2138f2d73c4527aa816
Opcode Fuzzy Hash: 874b70635e39cc5fc9167de3935ee8f6cbbcb1df730fc18b35f5b77747460000
Instruction Fuzzy Hash: 07D02B395026365BB6321B247C1EDEF2A59BF83F113050111F904E2510CF39CD11D1D0

Function 000D2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000D2C05
DeleteFileW.KERNEL32(?), ref: 000D2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000D2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000D2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000D2CC0

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: d04ae0682437dc1415c1626b9ca2d4fbfc862673f8d1e9a183119efd6aea5e15
Instruction ID: a4d1aba422adb25d5d8367737e81e128272ea1936ae635c3082745d578b4674b
Opcode Fuzzy Hash: d04ae0682437dc1415c1626b9ca2d4fbfc862673f8d1e9a183119efd6aea5e15
Instruction Fuzzy Hash: 4CB12C71D00219ABDF21EBA4CC85EEEB7BDEF59350F1040A6F509E6252EB349A448F61

Function 000EA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000EA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000EA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 000EA468
CloseHandle.KERNEL32(?), ref: 000EA63D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: a8def5a88fdfa40ba098f78c921b99208744941cbdc9c18d3b12aca8aafb32f3
Instruction ID: f85c0511d0f88010d052accd0dc5fef333d5c8c89f0bf7d48a306446ffb231b6
Opcode Fuzzy Hash: a8def5a88fdfa40ba098f78c921b99208744941cbdc9c18d3b12aca8aafb32f3
Instruction Fuzzy Hash: 6FA1B0B16047019FE720DF24C886F6AB7E1AF88714F14885DF59A9B292D7B0EC41CB92

Function 0009BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00103700), ref: 0009BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0013121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0009BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00131270,000000FF,?,0000003F,00000000,?), ref: 0009BC36
_free.LIBCMT ref: 0009BB7F

Part of subcall function 000929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000), ref: 000929DE
Part of subcall function 000929C8: GetLastError.KERNEL32(00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000,00000000), ref: 000929F0

_free.LIBCMT ref: 0009BD4B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: f587a96960b728508e8a4f094249d8ee3ac3c59834016e38c633b25b50424907
Instruction ID: 4f2157acf2eb49aae985bcad338219363e5292bed7f2da3bb50c0779d628cb19
Opcode Fuzzy Hash: f587a96960b728508e8a4f094249d8ee3ac3c59834016e38c633b25b50424907
Instruction Fuzzy Hash: 7C51DB71904209AFDF20DF65AE819AEB7F8EF41330B10426AE554D71A1EB709E41AB90

Function 000CE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000CCF22,?), ref: 000CDDFD

Part of subcall function 000CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000CCF22,?), ref: 000CDE16

Part of subcall function 000CE199: GetFileAttributesW.KERNEL32(?,000CCF95), ref: 000CE19A

lstrcmpiW.KERNEL32(?,?), ref: 000CE473
MoveFileW.KERNEL32(?,?), ref: 000CE4AC
_wcslen.LIBCMT ref: 000CE5EB
_wcslen.LIBCMT ref: 000CE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 000CE650

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 6463df5d67e9ccd842d43e5fc917ebc7f1aba486f19a2072f7b1895066335c5a
Instruction ID: db746b398a43767bdee610b638cc53808960b001487cb5c09ee92fcc959d80ae
Opcode Fuzzy Hash: 6463df5d67e9ccd842d43e5fc917ebc7f1aba486f19a2072f7b1895066335c5a
Instruction Fuzzy Hash: 695163B24087855BD764EB90DC81EDF73DCAF95340F00492EF689D3192EF74A6888766

Function 000EB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EB6AE,?,?), ref: 000EC9B5
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000EC9F1
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA68
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000EBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000EBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000EBB63
RegCloseKey.ADVAPI32(?,?), ref: 000EBBA6
RegCloseKey.ADVAPI32(00000000), ref: 000EBBB3

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: b9967864fb51eb1397fb2208179c860ea2aa9fdd267633a6d1c213ccb35c98a6
Instruction ID: e8848eba2921f59580530ed136229e3dd713e68f4c1f45fc78bfc5901ab8db97
Opcode Fuzzy Hash: b9967864fb51eb1397fb2208179c860ea2aa9fdd267633a6d1c213ccb35c98a6
Instruction Fuzzy Hash: 91619031208241AFD714DF15C891E6BBBE9FF84308F54856CF4999B2A2DB31ED45CB92

Function 000C8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000C8BCD
VariantClear.OLEAUT32 ref: 000C8C3E
VariantClear.OLEAUT32 ref: 000C8C9D
VariantClear.OLEAUT32(?), ref: 000C8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000C8D3B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f864be5c7007a7805a6aef73f76d005530b644b2c953ee28f9c4d8a7e52e84d2
Instruction ID: 87bd7533c31acb695a7807c706c340d08d54d8888a20fc4a052461a1e9c4c5fa
Opcode Fuzzy Hash: f864be5c7007a7805a6aef73f76d005530b644b2c953ee28f9c4d8a7e52e84d2
Instruction Fuzzy Hash: B25168B5A00219EFDB14CF68D884EAAB7F8FF89310F158569E906DB350E734E911CB94

Function 000D8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000D8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 000D8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000D8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000D8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000D8C5F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 4fdeb90331cf2e7c0a49be29ed44d0aaa0a8d1769006e7bd3e501ed13d44510f
Instruction ID: ef25b75195d78f151beeaef4ea1d619cff8baf1f4ce82767f605b1167c9ccf27
Opcode Fuzzy Hash: 4fdeb90331cf2e7c0a49be29ed44d0aaa0a8d1769006e7bd3e501ed13d44510f
Instruction Fuzzy Hash: 78513C35A00615DFDB04DF64C881EA9BBF5FF48314F088099E849AB362DB35ED51DBA0

Function 000E8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 000E8F40
GetProcAddress.KERNEL32(00000000,?), ref: 000E8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 000E8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 000E9032
FreeLibrary.KERNEL32(00000000), ref: 000E9052

Part of subcall function 0007F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,000D1043,?,7735E610), ref: 0007F6E6
Part of subcall function 0007F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000BFA64,00000000,00000000,?,?,000D1043,?,7735E610,?,000BFA64), ref: 0007F70D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ffb66b59a5a6ab1b38cd00056b6cfad6b373372d73de56d7b89b548cc7744517
Instruction ID: dc55b9d3446c88bad30379e2329423ae4b59dd2b2eb31cb56459b159848f3034
Opcode Fuzzy Hash: ffb66b59a5a6ab1b38cd00056b6cfad6b373372d73de56d7b89b548cc7744517
Instruction Fuzzy Hash: EC513834600245DFDB15DF59C4949EDBBF1FF49324B4880A9E80AAB762DB31ED85CB90

Function 000F6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 000F6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 000F6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 000F6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,000DAB79,00000000,00000000), ref: 000F6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 000F6CC7

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 24eaf6189be4713530a850e0f6d6ba07fc8338766a2a9a197d20135f91853c54
Instruction ID: 75204467ecc839480d087c3586a04291399d514b0adbd21cdae6fd114a47ac82
Opcode Fuzzy Hash: 24eaf6189be4713530a850e0f6d6ba07fc8338766a2a9a197d20135f91853c54
Instruction Fuzzy Hash: DA41B33560410CAFE724DF68CD59FB97BE5EB09350F150228FA95E7AE1C372AD41EA80

Function 00092051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000920C3
_free.LIBCMT ref: 000920E3

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 212af6b1fe9fe1ec10493ad3a461a5932902251a1190f7e42f71f8394978566a
Instruction ID: fe39e017c848f9084ae968e49d5a949f3a3fbe6f616e407fc63ab28947f15530
Opcode Fuzzy Hash: 212af6b1fe9fe1ec10493ad3a461a5932902251a1190f7e42f71f8394978566a
Instruction Fuzzy Hash: EE41D232A00204AFCF24DF78C881AAEB7E5EF89314F154568E615EB392DB31AD11DB81

Function 0007912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00079141
ScreenToClient.USER32(00000000,?), ref: 0007915E
GetAsyncKeyState.USER32(00000001), ref: 00079183
GetAsyncKeyState.USER32(00000002), ref: 0007919D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 1f0a9bc03cb0da4b99d506fe956a41652f11d2879700781d4f144f23030c482e
Instruction ID: feef574852cfa1e5a3aff1033961d84e129486c488f7cc060061972d799b8831
Opcode Fuzzy Hash: 1f0a9bc03cb0da4b99d506fe956a41652f11d2879700781d4f144f23030c482e
Instruction Fuzzy Hash: F3418171A0860AFBDF159F68C844BFEB7B4FF45320F208615E429A72D0C7345994DBA1

Function 000D3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 000D38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 000D3922
TranslateMessage.USER32(?), ref: 000D394B
DispatchMessageW.USER32(?), ref: 000D3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000D3966

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 6fa64d02449e4ebee1a913ad749088869fe985a84765785e0ad5b47ba355bac6
Instruction ID: b98fb7afc8b0e4bc01c27537cddf22c543e0eba3503a082d0168474823a08140
Opcode Fuzzy Hash: 6fa64d02449e4ebee1a913ad749088869fe985a84765785e0ad5b47ba355bac6
Instruction Fuzzy Hash: BB31B770904345AEEB75CB34D859FB6B7E8AB05314F04056FE462826E0E7F49AC4DB32

Function 000DCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,000DC21E,00000000), ref: 000DCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 000DCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,000DC21E,00000000), ref: 000DCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,000DC21E,00000000), ref: 000DCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,000DC21E,00000000), ref: 000DCFF2

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: ee8678a759d4064bfe1ae6f155784a665d5b350abaa43546fe38e42608c62c08
Instruction ID: 4c3bf533d62265e863c96906a0948fd10725c5fdd365538d58bebb288c4b1da0
Opcode Fuzzy Hash: ee8678a759d4064bfe1ae6f155784a665d5b350abaa43546fe38e42608c62c08
Instruction Fuzzy Hash: 28313C7150430AAFEB60DFA5C985EAEBBF9EB14350B10443EF506D2251DB34AE40DB60

Function 000C1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000C1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 000C19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 000C19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 000C19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 000C19E2

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 23a1d8afc0360bca605baa0567af44996c7a9c0008c331c34e393cc4c66de4f9
Instruction ID: 7fd47965854ec302c9db38826eff9e1f4013db808f25093077636d0bf92249ff
Opcode Fuzzy Hash: 23a1d8afc0360bca605baa0567af44996c7a9c0008c331c34e393cc4c66de4f9
Instruction Fuzzy Hash: E631AD71A00219EFEB10CFA8C999FEE7BB5EB06315F104229F921E72D2C7709954DB90

Function 000F5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 000F5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 000F579D
_wcslen.LIBCMT ref: 000F57AF
_wcslen.LIBCMT ref: 000F57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 000F5816

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e9ad4783eb99ab16be43dd4a71af50f84fc0d325d3ccd3b530553bf3d6b2b2fd
Instruction ID: d0dc4e5d9b91d793a3b9c280d8cb650538b958bea38fbcb8ea044761ad9bcc1a
Opcode Fuzzy Hash: e9ad4783eb99ab16be43dd4a71af50f84fc0d325d3ccd3b530553bf3d6b2b2fd
Instruction Fuzzy Hash: 8F21A53190861C9AEB209F60DC85AFE77B8FF04325F108216EB19EA581D7709985DF50

Function 000E0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 000E0951
GetForegroundWindow.USER32 ref: 000E0968
GetDC.USER32(00000000), ref: 000E09A4
GetPixel.GDI32(00000000,?,00000003), ref: 000E09B0
ReleaseDC.USER32(00000000,00000003), ref: 000E09E8

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 519ce83b1e6dfbb0704571940df71aa2c7193c488fc3ae6b2601db91bca8b21b
Instruction ID: f0e7aeb75401aa6fc5e12e356a396719527e60df4a1a5edabfb69ef325342170
Opcode Fuzzy Hash: 519ce83b1e6dfbb0704571940df71aa2c7193c488fc3ae6b2601db91bca8b21b
Instruction Fuzzy Hash: CB21AE35600204AFE704EF65D989EAEBBE9EF48700F048029F84AE7762DB74AC44DB50

Function 0009CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0009CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0009CDE9

Part of subcall function 00093820: RtlAllocateHeap.NTDLL(00000000,?,00131444,?,0007FDF5,?,?,0006A976,00000010,00131440,000613FC,?,000613C6,?,00061129), ref: 00093852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009CE0F
_free.LIBCMT ref: 0009CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0009CE31

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f05eb022eb390edd4a1e859301a88efea1eb22cd6982de73b68746343f5274dd
Instruction ID: 511839a533ec7bc4437d97cdb447e2187c670ea75c4ac554ddd38345708bee4f
Opcode Fuzzy Hash: f05eb022eb390edd4a1e859301a88efea1eb22cd6982de73b68746343f5274dd
Instruction Fuzzy Hash: 17018472E022157F3B2156B66C89D7F69ADEFC6BA13150129F906C7201EA658E01F2B0

Function 00079639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00079693
SelectObject.GDI32(?,00000000), ref: 000796A2
BeginPath.GDI32(?), ref: 000796B9
SelectObject.GDI32(?,00000000), ref: 000796E2

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 61cf6278b26abed11e9d7e757e64f8da70f50de988fc6ae921cf16046ab39db7
Instruction ID: 8d5b8adcc286f682fe8a60a825ebc4fb253904285cf28db18e31a68a00dc13eb
Opcode Fuzzy Hash: 61cf6278b26abed11e9d7e757e64f8da70f50de988fc6ae921cf16046ab39db7
Instruction Fuzzy Hash: 6F218E30802305FBEB119F64ED09BA93BA8BB41729F108316F418A65B0D37898D1DB98

Function 000C5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 000C5726
_memcmp.LIBVCRUNTIME ref: 000C5744
_memcmp.LIBVCRUNTIME ref: 000C5757
_memcmp.LIBVCRUNTIME ref: 000C576F
_memcmp.LIBVCRUNTIME ref: 000C5787

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6b4fca711fdf681272961847fd57684c0c968539dd2443877694875708c16fbc
Instruction ID: 45dbf19870d6ce76ba156eb3d6d1636b72ea5e8f3fc83dda14fdc4c1616bd153
Opcode Fuzzy Hash: 6b4fca711fdf681272961847fd57684c0c968539dd2443877694875708c16fbc
Instruction Fuzzy Hash: 1F01D679245609BA92186310AE42FFE639CAF21396B000128FE049E642F7A0FE9192E4

Function 00092DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0008F2DE,00093863,00131444,?,0007FDF5,?,?,0006A976,00000010,00131440,000613FC,?,000613C6), ref: 00092DFD
_free.LIBCMT ref: 00092E32
_free.LIBCMT ref: 00092E59
SetLastError.KERNEL32(00000000,00061129), ref: 00092E66
SetLastError.KERNEL32(00000000,00061129), ref: 00092E6F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: b7f48b8a41835a2d55e7138d60587fdf634d5c69ed6455c694b21621401ffe51
Instruction ID: d86151477328ff50d0fe07a9f08205c9b0b207cc3708a418a2e30f601edb60d7
Opcode Fuzzy Hash: b7f48b8a41835a2d55e7138d60587fdf634d5c69ed6455c694b21621401ffe51
Instruction Fuzzy Hash: B001F4726056007BDE22A7746CC6DAF26DDAFD13A5B210028F425A2193EB748C1171A0

Function 000C000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?,?,000C035E), ref: 000C002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?), ref: 000C0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?), ref: 000C0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?), ref: 000C0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?), ref: 000C0070

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 31091adfc7eef354fc29aac864c09c603941f99fa8ec5e4e5a09e32f26876533
Instruction ID: 84e73e8ca390c0f34e8db6717245d39e7d19d973aa540bbcb49cf12e078cc27a
Opcode Fuzzy Hash: 31091adfc7eef354fc29aac864c09c603941f99fa8ec5e4e5a09e32f26876533
Instruction Fuzzy Hash: 39018F72600209FFEB108F68DD05FAE7AEDEB44791F254128F905D2210DB75DD40DBA0

Function 000CE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 000CE997
QueryPerformanceFrequency.KERNEL32(?), ref: 000CE9A5
Sleep.KERNEL32(00000000), ref: 000CE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 000CE9B7
Sleep.KERNEL32 ref: 000CE9F3

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 85fe0a9ce241a292450c60d4b2de37ec769d9bb1281d5710309085e1d03e7d43
Instruction ID: 2463747da8bb6e574e50f705b2cdc9a8fe8dcb6d396885c45f4ffdd93ae20b4a
Opcode Fuzzy Hash: 85fe0a9ce241a292450c60d4b2de37ec769d9bb1281d5710309085e1d03e7d43
Instruction Fuzzy Hash: 27015731C0162DDBEF40ABE4D94AEEDBB78FF0A300F00055AE502B2241CB349651DBA2

Function 000C10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000C1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000C114D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 6121a1fffbdf77d0590efe048c4f71509962838cbf2da7831e718d0e25b5710b
Instruction ID: aa35800ad083e6207bc79c8af8c45fa8cd8fd3193b208572b62a10e6a3f0e3b5
Opcode Fuzzy Hash: 6121a1fffbdf77d0590efe048c4f71509962838cbf2da7831e718d0e25b5710b
Instruction Fuzzy Hash: 84016D75100309BFEB115FA4DD4AEAA3BAEEF863A0B140418FA41C3350DB35DC10DA60

Function 000C0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000C0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000C0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000C0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000C0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000C1002

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5661f7c83188bc91dc95267b97cd9349c5cac91fc216c08efbfb21c5ac3d598e
Instruction ID: 4e72c7d0beb23dca39bd9035364b78754be3a9f91ff074e6c169c59a2863909a
Opcode Fuzzy Hash: 5661f7c83188bc91dc95267b97cd9349c5cac91fc216c08efbfb21c5ac3d598e
Instruction Fuzzy Hash: 15F04935200309ABEB214FA49D4AFAA3BADFF8A762F214419FA45C6251CA74DC50DA60

Function 000C1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000C102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000C1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000C1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000C104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000C1062

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 857153678a8ac0a30b7618ec25f64d858fe69aef7e761854fe9b51c8729d242e
Instruction ID: 093f61264de7c0eb0637194bade5f9d27d1ded156b2f5d3259d1b49a5407dd1b
Opcode Fuzzy Hash: 857153678a8ac0a30b7618ec25f64d858fe69aef7e761854fe9b51c8729d242e
Instruction Fuzzy Hash: 52F06235140305EBF7215FA4ED4AFAA3BADFF8A761F210414FD45C7251CA74D960DA60

Function 000D030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,000D017D,?,000D32FC,?,00000001,000A2592,?), ref: 000D0324
CloseHandle.KERNEL32(?,?,?,?,000D017D,?,000D32FC,?,00000001,000A2592,?), ref: 000D0331
CloseHandle.KERNEL32(?,?,?,?,000D017D,?,000D32FC,?,00000001,000A2592,?), ref: 000D033E
CloseHandle.KERNEL32(?,?,?,?,000D017D,?,000D32FC,?,00000001,000A2592,?), ref: 000D034B
CloseHandle.KERNEL32(?,?,?,?,000D017D,?,000D32FC,?,00000001,000A2592,?), ref: 000D0358
CloseHandle.KERNEL32(?,?,?,?,000D017D,?,000D32FC,?,00000001,000A2592,?), ref: 000D0365

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ade67622b3234578ea7d8613d90b01f069a5fdad806786dcae591d013fd6ad5d
Instruction ID: 900250d5d2f85e2e01edb008c1918e4703d3d0af2d15f15f2a92108b663aef85
Opcode Fuzzy Hash: ade67622b3234578ea7d8613d90b01f069a5fdad806786dcae591d013fd6ad5d
Instruction Fuzzy Hash: 4C01AE72800B559FCB30AF66D880916FBF9BF603153158A3FD19A52A31C3B1AA58DF90

Function 0009D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0009D752

Part of subcall function 000929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000), ref: 000929DE
Part of subcall function 000929C8: GetLastError.KERNEL32(00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000,00000000), ref: 000929F0

_free.LIBCMT ref: 0009D764
_free.LIBCMT ref: 0009D776
_free.LIBCMT ref: 0009D788
_free.LIBCMT ref: 0009D79A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3b64ebe2f312fc116a2066d36ef400f4286595fd18e1fb228cd8e2490518c69d
Instruction ID: 94ad35b39aafd01115aad587a9e18ae3b29e3649792bcf16f825b4263aebdbe9
Opcode Fuzzy Hash: 3b64ebe2f312fc116a2066d36ef400f4286595fd18e1fb228cd8e2490518c69d
Instruction Fuzzy Hash: 91F0FF32588205BB8E61EBA4F9C5C5AB7DDBB447107A40806F18CE7902D720FCC0A6E4

Function 000C5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 000C5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 000C5C6F
MessageBeep.USER32(00000000), ref: 000C5C87
KillTimer.USER32(?,0000040A), ref: 000C5CA3
EndDialog.USER32(?,00000001), ref: 000C5CBD

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 20ed89726da3595b0169d2e7d22df616f90b79f35167c14e15eaa06030a46c9b
Instruction ID: 1420a1f9e280d290425dac81ff9fddf5ef1471364e0c37035e7c3fd317ead49f
Opcode Fuzzy Hash: 20ed89726da3595b0169d2e7d22df616f90b79f35167c14e15eaa06030a46c9b
Instruction Fuzzy Hash: 3F011234504B08AFFB215B10DE8FFAA77B8BB04B06F04155DA593A14E1DBF4B988DA90

Function 000922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000922BE

Part of subcall function 000929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000), ref: 000929DE
Part of subcall function 000929C8: GetLastError.KERNEL32(00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000,00000000), ref: 000929F0

_free.LIBCMT ref: 000922D0
_free.LIBCMT ref: 000922E3
_free.LIBCMT ref: 000922F4
_free.LIBCMT ref: 00092305

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d7c25166e6bfe2cb445c52f0acdb58dd1824c5e19d211265d53913b5d89fa508
Instruction ID: 3ca4e57cca68b9d99c5fec3bda053e494ffb8c03a322dbf0e29967fdecedfdb5
Opcode Fuzzy Hash: d7c25166e6bfe2cb445c52f0acdb58dd1824c5e19d211265d53913b5d89fa508
Instruction Fuzzy Hash: 7DF0FE75801520BBCE23EF54BC1188D3BA9F718B61715454AF458D6AB2C73109E2FFE4

Function 000795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000795D4
StrokeAndFillPath.GDI32(?,?,000B71F7,00000000,?,?,?), ref: 000795F0
SelectObject.GDI32(?,00000000), ref: 00079603
DeleteObject.GDI32 ref: 00079616
StrokePath.GDI32(?), ref: 00079631

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9557d7dd01bc28d63baae26919ed5f5602b12170498efa32b271195f4610170f
Instruction ID: 2a6432bb6e167ca0b28b7b5e9676662d75d2dd7b7f5710c5d8ac9e2f791fb058
Opcode Fuzzy Hash: 9557d7dd01bc28d63baae26919ed5f5602b12170498efa32b271195f4610170f
Instruction Fuzzy Hash: A1F0EC35405608EBEB269F65EE1DB743BA5BB0133AF048314F469558F0CB3889A5EF24

Function 00090F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 000910F9
__freea.LIBCMT ref: 00091117

Part of subcall function 00091537: _free.LIBCMT ref: 0009154F

Strings

am/pm, xrefs: 0009117A
a/p, xrefs: 000911DE

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: b9cb620e7dc1cf44e3d88255e8a36105b957d165fdac74ea4e55d7a4487f72a4
Instruction ID: e56f6d5cd35125d4dc8eba7da68c116a20d710fdf356a737e5701f9695d9aa08
Opcode Fuzzy Hash: b9cb620e7dc1cf44e3d88255e8a36105b957d165fdac74ea4e55d7a4487f72a4
Instruction Fuzzy Hash: B3D10071B00207DADF689F68C845BFEB7F1EF05300F288159E9119BA91D3B59E81EB91

Function 000E7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00080242: EnterCriticalSection.KERNEL32(0013070C,00131884,?,?,0007198B,00132518,?,?,?,000612F9,00000000), ref: 0008024D
Part of subcall function 00080242: LeaveCriticalSection.KERNEL32(0013070C,?,0007198B,00132518,?,?,?,000612F9,00000000), ref: 0008028A

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000800A3: __onexit.LIBCMT ref: 000800A9

__Init_thread_footer.LIBCMT ref: 000E7BFB

Part of subcall function 000801F8: EnterCriticalSection.KERNEL32(0013070C,?,?,00078747,00132514), ref: 00080202
Part of subcall function 000801F8: LeaveCriticalSection.KERNEL32(0013070C,?,00078747,00132514), ref: 00080235

Strings

G, xrefs: 000E7C7F
5, xrefs: 000E7C78
Variable must be of type 'Object'., xrefs: 000E7C3A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: b91103995fc53d956744c85d5bfb8e23397e2d3b0da0465bcea83126aae3008d
Instruction ID: 64ebdbe24c04d0c49773aed992a4e51bdbcaecd45aaeded431fa74337f38fd4a
Opcode Fuzzy Hash: b91103995fc53d956744c85d5bfb8e23397e2d3b0da0465bcea83126aae3008d
Instruction Fuzzy Hash: 92919A70A08249EFCB14EF95D981DFDB7B6BF49300F108059F80AAB292DB71AE41CB51

Function 000C2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000CB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000C21D0,?,?,00000034,00000800,?,00000034), ref: 000CB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000C2760

Part of subcall function 000CB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000C21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 000CB3F8

Part of subcall function 000CB32A: GetWindowThreadProcessId.USER32(?,?), ref: 000CB355
Part of subcall function 000CB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000C2194,00000034,?,?,00001004,00000000,00000000), ref: 000CB365
Part of subcall function 000CB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000C2194,00000034,?,?,00001004,00000000,00000000), ref: 000CB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000C27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000C281A

Strings

@, xrefs: 000C2832

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 8aecb8cdf92b2d89cef71744fd9c298a0006f865f1d3f976d2d1c49feb35d43f
Instruction ID: 0900e7d668503ef3940ea13a826a30eddc527b1923666de02d8eaf333438ece2
Opcode Fuzzy Hash: 8aecb8cdf92b2d89cef71744fd9c298a0006f865f1d3f976d2d1c49feb35d43f
Instruction Fuzzy Hash: D6411B72900218AFDB10DBA4CD86FEEBBB8EF09700F104199FA55B7181DB706E45DBA1

Function 0009172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00091769
_free.LIBCMT ref: 00091834
_free.LIBCMT ref: 0009183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00091760, 00091767, 00091796, 000917CE

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3587028468
Opcode ID: 7cc998acd193ad0a1a2862778df7a92e3101b6dfc21dea4b7afe799989b9c0ba
Instruction ID: f7e62c1e35265642207a60615509257c6cff95ebf577924dff6e585a5d217f71
Opcode Fuzzy Hash: 7cc998acd193ad0a1a2862778df7a92e3101b6dfc21dea4b7afe799989b9c0ba
Instruction Fuzzy Hash: 14318075B0421ABBDF21DB999885DDFBBFCEB85310B2441A6F80497211DA708E40EBA0

Function 000CC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 000CC306
DeleteMenu.USER32(?,00000007,00000000), ref: 000CC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00131990,00C36BA8), ref: 000CC395

Strings

0, xrefs: 000CC2DF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: f5cb2bce34b44ff75ddb72499334b90ebb4a365a38368244115f5a062c6357eb
Instruction ID: de3b8c87f36e396a18500d539d9d8f651dc47ec6bb0c33a1855ec55bdf370a23
Opcode Fuzzy Hash: f5cb2bce34b44ff75ddb72499334b90ebb4a365a38368244115f5a062c6357eb
Instruction Fuzzy Hash: 244180712043419FE724DF25E845F6EBBE8AF85310F14861DF9A9972D2D730AA04CB52

Function 000F4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,000FCC08,00000000,?,?,?,?), ref: 000F44AA
GetWindowLongW.USER32 ref: 000F44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000F44D7

Strings

SysTreeView32, xrefs: 000F447C

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 83b4f2c6742692d038a699f7b0f9cedf058e2f4172bfd102b19799f0740f48fd
Instruction ID: 62acef8b679cebb807b5c40f876f3b1eef389dd9c9d17e8b867b8f6f8fbc622b
Opcode Fuzzy Hash: 83b4f2c6742692d038a699f7b0f9cedf058e2f4172bfd102b19799f0740f48fd
Instruction Fuzzy Hash: 90319C31214609AFEB609E38DC46BEB77A9EB08324F204715FA79A25E1D774EC50AB50

Function 000E304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000E335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,000E3077,?,?), ref: 000E3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000E307A
_wcslen.LIBCMT ref: 000E309B
htons.WSOCK32(00000000,?,?,00000000), ref: 000E3106

Strings

255.255.255.255, xrefs: 000E3095, 000E309A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: d402e778596229aaec150f09a8e623a114714c2295f591fcf805491cc0898b6a
Instruction ID: c93e68f3f23bbfdc8011699c298946b28d0801999c51b3f962ad9db5b329cabe
Opcode Fuzzy Hash: d402e778596229aaec150f09a8e623a114714c2295f591fcf805491cc0898b6a
Instruction Fuzzy Hash: FF3107352002859FDB20CF6AC599EAABBE0EF54314F258099E915AB792CB32DF45C760

Function 000F3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 000F3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 000F3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 000F3F78

Strings

SysMonthCal32, xrefs: 000F3F0B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 99c05e2bf80288943c236faf58eb26b30cd8ee16c8d82e6e720983732a9addd5
Instruction ID: f1f62b3b144c9ed8923e32722cef65dc7bbbf5497aa95714adcb1e59e077a0ff
Opcode Fuzzy Hash: 99c05e2bf80288943c236faf58eb26b30cd8ee16c8d82e6e720983732a9addd5
Instruction Fuzzy Hash: 10219F32600219BFEF218F50DC46FEA3BB9EF48724F110214FA15AB1D0D6B5AD54DB90

Function 000F4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 000F4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 000F4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 000F471A

Strings

msctls_updown32, xrefs: 000F4684

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 80302691af44b1d20dd962113f969c5564952733befcb5c5f2f870cc0f93139e
Instruction ID: 83f3bacb6f7439ca7f787991afbbce90c558be9a372015e68b22b0f8c3494f2b
Opcode Fuzzy Hash: 80302691af44b1d20dd962113f969c5564952733befcb5c5f2f870cc0f93139e
Instruction Fuzzy Hash: 55213EB5604209AFEB11EF64DC81DB737EDEF9A398B050059FA009B652CB71EC51DB60

Function 000C95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000C961D

Strings

#notrayicon, xrefs: 000C95B7
#OnAutoItStartRegister, xrefs: 000C95F3
#requireadmin, xrefs: 000C95D9

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f9ff12315ff0fd247181d98a8ab890c421e1c8989fc6268bf92d3895d250de30
Instruction ID: 7cde19bf8ce998a6017ec4e5c165fde73b0d787002e0078998b9dd6e84cac5e4
Opcode Fuzzy Hash: f9ff12315ff0fd247181d98a8ab890c421e1c8989fc6268bf92d3895d250de30
Instruction Fuzzy Hash: 30212B72204A1166D331BB24DC0AFFF73D8AF95314F54402EFA899B182EBA19D41D395

Function 000F37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 000F3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 000F3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 000F3876

Strings

Listbox, xrefs: 000F380F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0f0278568c04e51ef195f28ef6dae6d0e70bdc918e56f8cdf1976b1a22b7ff50
Instruction ID: 679f137bdc1ac70eacf4e251f4545ef2bda5cacb838bac778030b1536af15d7f
Opcode Fuzzy Hash: 0f0278568c04e51ef195f28ef6dae6d0e70bdc918e56f8cdf1976b1a22b7ff50
Instruction Fuzzy Hash: 8B21B072604218BBEB219F54CC41FBB37AEEF897A0F108124FA009B590CA75DC52D7A0

Function 000D49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000D4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 000D4A5C
SetErrorMode.KERNEL32(00000000,?,?,000FCC08), ref: 000D4AD0

Strings

%lu, xrefs: 000D4A6F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: dbbda1c45999342f89ba8323cfe52de691bd7e3ee3ed78872bf980246a9c5658
Instruction ID: 8732ee7fd3d9548067f7669b563d8d7c9502e2ca638c23c119eaafbd76cbadd8
Opcode Fuzzy Hash: dbbda1c45999342f89ba8323cfe52de691bd7e3ee3ed78872bf980246a9c5658
Instruction Fuzzy Hash: DE318E74A00208AFDB10DF58C981EAA7BF8EF08318F1480A9E909DB352D775ED45CB61

Function 000F41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 000F424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 000F4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 000F4271

Strings

msctls_trackbar32, xrefs: 000F4226

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 758bc2d5fb0588a59c1aa67de7ae17ceea5f2a0f6c11a3f9698d467ead309048
Instruction ID: e0d465105959eb17129c094f703ce5ba2362d9df5a92fb55d61c78e13ca11247
Opcode Fuzzy Hash: 758bc2d5fb0588a59c1aa67de7ae17ceea5f2a0f6c11a3f9698d467ead309048
Instruction Fuzzy Hash: 1111E031240248BEEF609E28CC06FBB3BACEF85B64F010524FA55E20A0D271D861EB20

Function 000C2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

Part of subcall function 000C2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000C2DC5
Part of subcall function 000C2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 000C2DD6
Part of subcall function 000C2DA7: GetCurrentThreadId.KERNEL32 ref: 000C2DDD
Part of subcall function 000C2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000C2DE4

GetFocus.USER32 ref: 000C2F78

Part of subcall function 000C2DEE: GetParent.USER32(00000000), ref: 000C2DF9

GetClassNameW.USER32(?,?,00000100), ref: 000C2FC3
EnumChildWindows.USER32(?,000C303B), ref: 000C2FEB

Strings

%s%d, xrefs: 000C2FFF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 2b9cc84d0246f46da6ac23a305f0ff5c4f0623dfbf772268d2ba3a52fac136cd
Instruction ID: b2f8b52e5f98dce6574c5310bcab0abb6be63a99be6e99dc947af71e4729ed3d
Opcode Fuzzy Hash: 2b9cc84d0246f46da6ac23a305f0ff5c4f0623dfbf772268d2ba3a52fac136cd
Instruction Fuzzy Hash: 5B11CD71600209ABDF506F608C96FFE37AAAF94304F048079B90A9B293DF7199499B60

Function 000F5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 000F58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 000F58EE
DrawMenuBar.USER32(?), ref: 000F58FD

Strings

0, xrefs: 000F588F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: f511a675ebeaa431a445476522d0088e35ce4dc65e2ed246dd67582891475b20
Instruction ID: 9d6b0af7f5daf83b544458d51c35f8e74dbf49ec4a06040fb03ad2619842479b
Opcode Fuzzy Hash: f511a675ebeaa431a445476522d0088e35ce4dc65e2ed246dd67582891475b20
Instruction Fuzzy Hash: 04018B3150420CEEEB209F21DC45BBEBBB4FF45761F108099EA49D6151DB748A84EF20

Function 000C007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183aa159bfd74454067de64fab475f10bf3b4d06a3145d7d4a01c5c64a31c619
Instruction ID: d4020519ceb9ae81e96405499d23a37b0f3188700ac47d1b6426346a8a377f61
Opcode Fuzzy Hash: 183aa159bfd74454067de64fab475f10bf3b4d06a3145d7d4a01c5c64a31c619
Instruction Fuzzy Hash: A6C11875A0021AEFDB14CFA4C898FAEB7B9FF48704F148598E905AB251D731EE41DB90

Function 00093E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00093F0B
__alldvrm.LIBCMT ref: 0009410C
__alldvrm.LIBCMT ref: 0009412E

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 4dcc75402817c8552281446835fa7b85418ef68598630504a89c23ba243402a1
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: FCA16B76E003869FDF25CF28C891BAEBBE5EF61350F14416DE5959B382C2358D82DB50

Function 000E342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000E3459
CoUninitialize.OLE32 ref: 000E3463
VariantInit.OLEAUT32(?), ref: 000E346E
VariantClear.OLEAUT32(?), ref: 000E371B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 81f877eca945a10e0cf5b76ee0d47db592ffbe097a139ee43f9a73328f0c9d77
Instruction ID: a8d704dae2fdb23a059d6d49bbd485e557b3f2e5942790bfdc02a7df3fbcce1b
Opcode Fuzzy Hash: 81f877eca945a10e0cf5b76ee0d47db592ffbe097a139ee43f9a73328f0c9d77
Instruction Fuzzy Hash: 08A14A756047009FD710DF29C585A6ABBE5FF88714F04885DF98AAB362DB70EE01CB91

Function 000C0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,000FFC08,?), ref: 000C05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,000FFC08,?), ref: 000C0608
CLSIDFromProgID.OLE32(?,?,00000000,000FCC40,000000FF,?,00000000,00000800,00000000,?,000FFC08,?), ref: 000C062D
_memcmp.LIBVCRUNTIME ref: 000C064E

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 06091913bb53bfac1d3b60c682561eff0375fc2eb8218d3966a480a832f49eda
Instruction ID: 5d079f508465ed6ade8ccb2eb4c16dbbde831f29887556de2e223bfdc0d6334b
Opcode Fuzzy Hash: 06091913bb53bfac1d3b60c682561eff0375fc2eb8218d3966a480a832f49eda
Instruction Fuzzy Hash: 0781E975A00109EFDB04DF94C988EEEB7B9FF89315F204558E516AB250DB71AE06CF60

Function 000EA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000EA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 000EA6BA

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Process32NextW.KERNEL32(00000000,?), ref: 000EA79C
CloseHandle.KERNEL32(00000000), ref: 000EA7AB

Part of subcall function 0007CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,000A3303,?), ref: 0007CE8A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 62dddef7835342039384a410f676f8d7340f3e464b071ff092ab182084be7a0b
Instruction ID: 4afa78eb29e5863d217058f809ad188370dcfa8cd70ebf82d9578ffe3efe312a
Opcode Fuzzy Hash: 62dddef7835342039384a410f676f8d7340f3e464b071ff092ab182084be7a0b
Instruction Fuzzy Hash: A0517F715083009FD310EF24C986EABBBE9FF89754F40491DF589A7292EB30E904CB92

Function 000A1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000A14C0

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4c976151766ff56251852435a1f5440bf21097733011a174c8ceefc1c4c02f4e
Instruction ID: 0b7c4459f418ee28aa57345a0d3de22513fbbc55936e3530d49f7dc365ee3fcf
Opcode Fuzzy Hash: 4c976151766ff56251852435a1f5440bf21097733011a174c8ceefc1c4c02f4e
Instruction Fuzzy Hash: 1A412931A00615ABDF217BFD9C46AFE3AE4FF4B370F144225F429D6193E6348941A3A2

Function 000F6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000F62E2
ScreenToClient.USER32(?,?), ref: 000F6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 000F6382

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bdd1c7377dcac5262804f328ab06e95debd9375c2036d88c6e5b47982050ec0f
Instruction ID: 353b14168beec3ecb2a116c8c4019c29b766a99226312f33247300f94ae0c0c6
Opcode Fuzzy Hash: bdd1c7377dcac5262804f328ab06e95debd9375c2036d88c6e5b47982050ec0f
Instruction Fuzzy Hash: 2C515A70A00209EFDB50DF68D881ABE7BF6EF45360F108169FA159B691D731EE81EB50

Function 000E1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 000E1AFD
WSAGetLastError.WSOCK32 ref: 000E1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 000E1B8A
WSAGetLastError.WSOCK32 ref: 000E1B94

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: d41db9f7e2240a06b1b319f80a0c7e7c022ee77930d8c967ab597349db3ffe30
Instruction ID: 6435c1f43ef6d4c52ce02446a44a143dc68630c8f3cd17e49fb6adfe1702095b
Opcode Fuzzy Hash: d41db9f7e2240a06b1b319f80a0c7e7c022ee77930d8c967ab597349db3ffe30
Instruction Fuzzy Hash: 6941D274600200AFE720AF24C886FAA77E6AB44718F54C498F91A9F7D3D776ED41CB90

Function 0009B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8201f8d9a8b90b842949f516aa020364942e32d64ca92f328afd054840302ce4
Instruction ID: a2d127556653bf1a8474098895bc79cd885ddfb7c30193ee7d201afeca3b5fbc
Opcode Fuzzy Hash: 8201f8d9a8b90b842949f516aa020364942e32d64ca92f328afd054840302ce4
Instruction Fuzzy Hash: 28411675A00704BFDB24AF78DD41BEABBE9EF88720F10452AF151DB292D7719901A780

Function 000D56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000D5783
GetLastError.KERNEL32(?,00000000), ref: 000D57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000D57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000D57FA

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ce17f72a27e9e9c7aa0293491a2702d5cb2cfa49ac247a8c615fc51400ebcf54
Instruction ID: 485e123cc0b2ed146c76d1c978f3e83cf473c52181934cc92feef4b1adfcde1b
Opcode Fuzzy Hash: ce17f72a27e9e9c7aa0293491a2702d5cb2cfa49ac247a8c615fc51400ebcf54
Instruction Fuzzy Hash: AC415D35200A10DFCB10DF15C545A9EBBF2EF89325B188489EC4AAB362CB74FD41DB91

Function 0009D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00086D71,00000000,00000000,000882D9,?,000882D9,?,00000001,00086D71,8BE85006,00000001,000882D9,000882D9), ref: 0009D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0009D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0009D9AB
__freea.LIBCMT ref: 0009D9B4

Part of subcall function 00093820: RtlAllocateHeap.NTDLL(00000000,?,00131444,?,0007FDF5,?,?,0006A976,00000010,00131440,000613FC,?,000613C6,?,00061129), ref: 00093852

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 64c35d06ac2971e9191bdd5549b28e74757b328792ea59387c5db77a0ca96799
Instruction ID: 0590f00c1e12ea2192ac1d467adc1205d85714ed5de678010c029359f292f46c
Opcode Fuzzy Hash: 64c35d06ac2971e9191bdd5549b28e74757b328792ea59387c5db77a0ca96799
Instruction Fuzzy Hash: 2C31BE72A1020AABDF25EFA4DC41EEF7BA5EB41310B05416AFC04D7291EB39CD54EB90

Function 000F52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 000F5352
GetWindowLongW.USER32(?,000000F0), ref: 000F5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000F5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000F53A8

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 78d55f6b28982bd2cb00f89f11533808fbd36e5e40681513dc1b6273b769ddab
Instruction ID: cd421295fbc9c44ddf130db45e402093195e1df272174427127e662ef3da161b
Opcode Fuzzy Hash: 78d55f6b28982bd2cb00f89f11533808fbd36e5e40681513dc1b6273b769ddab
Instruction Fuzzy Hash: 38319034A55A0CEFEB709A1CCC46FF877A6AB05392F584101FB51969E1C7B49B80FB42

Function 000CAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 000CABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 000CAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 000CAC74
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 000CACC6

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b13022a729c997bb1e96cd75694b81c75400c0b96f74c8b093e6cf18a8db1cb4
Instruction ID: 066645209a535889f62084748598e6b8cac56262b303e7acfb6f2c14d60f6389
Opcode Fuzzy Hash: b13022a729c997bb1e96cd75694b81c75400c0b96f74c8b093e6cf18a8db1cb4
Instruction Fuzzy Hash: 2F312630B4461C6FFF34CB688C89FFE7BE5AB8A328F04421EE485921D1C37889859752

Function 000F7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 000F769A
GetWindowRect.USER32(?,?), ref: 000F7710
PtInRect.USER32(?,?,000F8B89), ref: 000F7720
MessageBeep.USER32(00000000), ref: 000F778C

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 683a4535fd8d43a72f70f1cc8447123120188dae4d854ec8963142bc3914d7a4
Instruction ID: 246d6f3ee7008a1ce24cc11b0d53915dd5d0f212ba8fb7cd83fcf200e3bcd439
Opcode Fuzzy Hash: 683a4535fd8d43a72f70f1cc8447123120188dae4d854ec8963142bc3914d7a4
Instruction Fuzzy Hash: E5419E34609318EFDB11EF58C894EB977F5BB48304F1940A8E618DBA61C331E981EB92

Function 000F16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000F16EB

Part of subcall function 000C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000C3A57
Part of subcall function 000C3A3D: GetCurrentThreadId.KERNEL32 ref: 000C3A5E
Part of subcall function 000C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000C25B3), ref: 000C3A65

GetCaretPos.USER32(?), ref: 000F16FF
ClientToScreen.USER32(00000000,?), ref: 000F174C
GetForegroundWindow.USER32 ref: 000F1752

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 938e12b8b57b62b066a75720c9023a44b3b94fe28696aab4f5cf33667e7c1094
Instruction ID: 7f14565ac3b46f7a262d5a64f986a6877e3fde34c3e0d0ab5fc1cfa6afb5a472
Opcode Fuzzy Hash: 938e12b8b57b62b066a75720c9023a44b3b94fe28696aab4f5cf33667e7c1094
Instruction Fuzzy Hash: DE315E75D04249EFD704EFA9C981CFEBBF9EF48304B5080AAE419E7612D6319E45CBA0

Function 000CDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00067620: _wcslen.LIBCMT ref: 00067625

_wcslen.LIBCMT ref: 000CDFCB
_wcslen.LIBCMT ref: 000CDFE2
_wcslen.LIBCMT ref: 000CE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 000CE018

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 52875cf7b4115d972124a4864fb7a19644b4fc28e45544a1537ca4f92bf51235
Instruction ID: 25dec86506dd604a55fee5c44731b1bde29ca4c6ce907e1384d7936685f17219
Opcode Fuzzy Hash: 52875cf7b4115d972124a4864fb7a19644b4fc28e45544a1537ca4f92bf51235
Instruction Fuzzy Hash: ED21A675900215AFCB20EFA4D982FAEB7F8FF45750F244069E945BB282D6709E41CBA1

Function 000F8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

GetCursorPos.USER32(?), ref: 000F9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000B7711,?,?,?,?,?), ref: 000F9016
GetCursorPos.USER32(?), ref: 000F905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000B7711,?,?,?), ref: 000F9094

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: cbf3a224a6599ddc066e82cbc3b3d3e1fbe70b8b8f9329b4006896fa524106ed
Instruction ID: 025636d2d4757b1985e8d82b5ca9b128c9896ea60414f6dde2eb79cb8df20037
Opcode Fuzzy Hash: cbf3a224a6599ddc066e82cbc3b3d3e1fbe70b8b8f9329b4006896fa524106ed
Instruction Fuzzy Hash: 72219C3560001CEFDB258FA4C859FFA3BB9EB89750F004065FA058B6A1CB359990EF60

Function 000CD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,000FCB68), ref: 000CD2FB
GetLastError.KERNEL32 ref: 000CD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 000CD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,000FCB68), ref: 000CD376

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 57ea83552eb0097d15d8c1adad66886a2d834d16f0b1e7e5d6acbae9b0fabea8
Instruction ID: 4d5fa2771a683b708141af27f8b7012050e76eba219dffd4de525676618ab53d
Opcode Fuzzy Hash: 57ea83552eb0097d15d8c1adad66886a2d834d16f0b1e7e5d6acbae9b0fabea8
Instruction Fuzzy Hash: 9F21A3705082059F9310DF24C981DAEB7E8EF55364F504A2EF499C72E2DB30DA45DB93

Function 000C1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000C102A
Part of subcall function 000C1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000C1036
Part of subcall function 000C1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000C1045
Part of subcall function 000C1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000C104C
Part of subcall function 000C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000C1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 000C15BE
_memcmp.LIBVCRUNTIME ref: 000C15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C1617
HeapFree.KERNEL32(00000000), ref: 000C161E

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 438c006a79f550dde6fb18614a25eddf1d79dfe228987a2ef18f8b47bc114d13
Instruction ID: cd7210b67435f9dabe7d77ec36884ae7aaad31ea71b693ecc9512a6b496c1687
Opcode Fuzzy Hash: 438c006a79f550dde6fb18614a25eddf1d79dfe228987a2ef18f8b47bc114d13
Instruction Fuzzy Hash: 41214871E00109EFEB10DFA4CA49FEEB7F8EF46354F184459E441AB242E775AA05DBA0

Function 000F2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 000F280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 000F2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 000F2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 000F2840

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 95036149841ae2787c64405b35e371404b2998c6449ac2ec1663d571aa3815eb
Instruction ID: b8384e38084ae1b907663cf89819c319ddef5b31a442f8bb247dd2fd894fca7b
Opcode Fuzzy Hash: 95036149841ae2787c64405b35e371404b2998c6449ac2ec1663d571aa3815eb
Instruction Fuzzy Hash: D8212131209619AFE710EB24C845FBA7B95AF45324F148158F526CBAE2CB75FC82D790

Function 000C78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000C8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,000C790A,?,000000FF,?,000C8754,00000000,?,0000001C,?,?), ref: 000C8D8C
Part of subcall function 000C8D7D: lstrcpyW.KERNEL32(00000000,?,?,000C790A,?,000000FF,?,000C8754,00000000,?,0000001C,?,?,00000000), ref: 000C8DB2
Part of subcall function 000C8D7D: lstrcmpiW.KERNEL32(00000000,?,000C790A,?,000000FF,?,000C8754,00000000,?,0000001C,?,?), ref: 000C8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,000C8754,00000000,?,0000001C,?,?,00000000), ref: 000C7923
lstrcpyW.KERNEL32(00000000,?,?,000C8754,00000000,?,0000001C,?,?,00000000), ref: 000C7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,000C8754,00000000,?,0000001C,?,?,00000000), ref: 000C7984

Strings

cdecl, xrefs: 000C797B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 0c00e9e3586d27cfdc0ba854e211f3dc2b7f1c22811c399d01346f8751ce2694
Instruction ID: fec5a52a7c5a57df42e43ce74e84fecbbffabf59b4f4d90f069fc2a2141dbcb8
Opcode Fuzzy Hash: 0c00e9e3586d27cfdc0ba854e211f3dc2b7f1c22811c399d01346f8751ce2694
Instruction Fuzzy Hash: C311293A200306ABDB155F34D845EBE77E5FF85350B10802EF94AC72A5EF319811DB65

Function 000F7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 000F7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 000F7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 000F7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000DB7AD,00000000), ref: 000F7D6B

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 57d2f9660d900bdad7b48b83ef3da8aa911a651a42d4daa0f938d5979db47a0d
Instruction ID: 06a61b352cf693c0ce4f1fb47ec943b2e27d162cacd1355bd6a3291b3d8a3fa1
Opcode Fuzzy Hash: 57d2f9660d900bdad7b48b83ef3da8aa911a651a42d4daa0f938d5979db47a0d
Instruction Fuzzy Hash: D411DF31608619AFDB108F28CC04EBA3BA5AF45360B518328F939CBAF0D7308D51EB80

Function 000F5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 000F56BB
_wcslen.LIBCMT ref: 000F56CD
_wcslen.LIBCMT ref: 000F56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 000F5816

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e2d33541b65c3f2759450a2234b8c8365b8a23db7a9b7e91e1163e9ff5e5c138
Instruction ID: 76efe79dc68e5954a02d73bb10babcc6b27e23311700bebadca88b07ba1df0f5
Opcode Fuzzy Hash: e2d33541b65c3f2759450a2234b8c8365b8a23db7a9b7e91e1163e9ff5e5c138
Instruction Fuzzy Hash: B411B47160460DA6EF20DF618C85AFE77ACAF11766B104026FB55D6481EB709A80DB64

Function 00091D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc935e3906447a841255eab8c0932037b190ac2b05b1ae3964a11ff9f046fb3c
Instruction ID: 2dcabe77b962c1c6e4e53f203913a8ed9ad9a41eb98f1e6cb1e2d80edbeff038
Opcode Fuzzy Hash: cc935e3906447a841255eab8c0932037b190ac2b05b1ae3964a11ff9f046fb3c
Instruction Fuzzy Hash: 92014FF230A61B7EFE6116786CC1FA7669DEF423B8B340325F535511D2DB648C40A160

Function 000C1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 000C1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000C1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000C1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000C1A8A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fded0def5b43a2ee2dd33a436bde5fdc8d32da947d56e6f9ff457c2388462231
Instruction ID: 728bf0dfe9f87dfaf96dcb747a1f2d2299d4201a9b887d795b13543d8e519e6a
Opcode Fuzzy Hash: fded0def5b43a2ee2dd33a436bde5fdc8d32da947d56e6f9ff457c2388462231
Instruction Fuzzy Hash: F211393AD01219FFEB10DBA4CD85FEDBBB8EB08750F200095EA00B7291D6716E50DB94

Function 000CE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000CE1FD
MessageBoxW.USER32(?,?,?,?), ref: 000CE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000CE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000CE24D

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: da73e3d18990fe8d7a1ec4d205c567a57c5c415b5e8888392ae7ec1931af6057
Instruction ID: bd87296eb659e56a1c447a0405cc40da3bd0f4244a145f529f3934819e011b82
Opcode Fuzzy Hash: da73e3d18990fe8d7a1ec4d205c567a57c5c415b5e8888392ae7ec1931af6057
Instruction Fuzzy Hash: 0011D676904258BBE7019FA8EC0AFAE7FADFB45320F044259F924E3691D6B4CD0497A0

Function 0008D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0008CFF9,00000000,00000004,00000000), ref: 0008D218
GetLastError.KERNEL32 ref: 0008D224
__dosmaperr.LIBCMT ref: 0008D22B
ResumeThread.KERNEL32(00000000), ref: 0008D249

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: bac218cf0b60bf5bd99123974dc2bf44842446920c7e8f585d2066d9276c319f
Instruction ID: 79d6b61163c4306a9c6b0e9122f5a1d4cd3d9c3d095f570cc5a057a810839caf
Opcode Fuzzy Hash: bac218cf0b60bf5bd99123974dc2bf44842446920c7e8f585d2066d9276c319f
Instruction Fuzzy Hash: DA01D6364051087BEB217BA5DC09BAE7B69FF91330F10031AF965961E1CF708901D7A0

Function 000F9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

GetClientRect.USER32(?,?), ref: 000F9F31
GetCursorPos.USER32(?), ref: 000F9F3B
ScreenToClient.USER32(?,?), ref: 000F9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 000F9F7A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 63ffe50fb0dbe219a0ac9e7355ac78e68a79416723b9da362946dfb1d0199dc5
Instruction ID: 2519577cfb2478098f3075141308bb9df62c6b36e23d95a4387e10093cf0f78a
Opcode Fuzzy Hash: 63ffe50fb0dbe219a0ac9e7355ac78e68a79416723b9da362946dfb1d0199dc5
Instruction Fuzzy Hash: E111363290021EABEB10DF68C946EFE77B8FB45311F004465FA01E7941D734BA89EBA1

Function 0006600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0006604C
GetStockObject.GDI32(00000011), ref: 00066060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0006606A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b6c3e828eedff3abd7a326db1c54792256618d61fa38664815726fa127a15e36
Instruction ID: 52108ab8f098a88096858948a3d734fd4afb5a2e61d49e0ed7954db75d8e9538
Opcode Fuzzy Hash: b6c3e828eedff3abd7a326db1c54792256618d61fa38664815726fa127a15e36
Instruction Fuzzy Hash: 05115E72501548BFFF125F949C55EEBBFAAEF09354F040115FA1552110D736AC60EB90

Function 00083B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00083B56

Part of subcall function 00083AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00083AD2
Part of subcall function 00083AA3: ___AdjustPointer.LIBCMT ref: 00083AED

_UnwindNestedFrames.LIBCMT ref: 00083B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00083B7C
CallCatchBlock.LIBVCRUNTIME ref: 00083BA4

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: e31055cd89efe256cdb0a6b271610b75454170881dd18c048f0cd846bc2bfd0c
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: BA01E972100149BBDF126E95CC46EEB7FA9FF98B54F044014FE8856122D736E961DBA0

Function 00093073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000613C6,00000000,00000000,?,0009301A,000613C6,00000000,00000000,00000000,?,0009328B,00000006,FlsSetValue), ref: 000930A5
GetLastError.KERNEL32(?,0009301A,000613C6,00000000,00000000,00000000,?,0009328B,00000006,FlsSetValue,00102290,FlsSetValue,00000000,00000364,?,00092E46), ref: 000930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0009301A,000613C6,00000000,00000000,00000000,?,0009328B,00000006,FlsSetValue,00102290,FlsSetValue,00000000), ref: 000930BF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 3745ce1013317c132cc5610d444a90e25c77a651b911427d8b7c7be7fa64d3db
Instruction ID: 9008090a8927137f9d351455df659b0ae34128b53a54c4a870071ab2e2da9ac0
Opcode Fuzzy Hash: 3745ce1013317c132cc5610d444a90e25c77a651b911427d8b7c7be7fa64d3db
Instruction Fuzzy Hash: BC01F732301226ABEF714BB89C55E6B7BD8AF85BA1B110720F915E3580C725DD05DAE0

Function 000C7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 000C747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000C7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000C74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 000C74CA

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4010f524b550241eba698d9e775b7a3b53b22dcbb18f7faccb250e346c3fcea2
Instruction ID: 0a3e001ab54ab825b97c3d0664da73be374124208c398059ce09760776f3d4b5
Opcode Fuzzy Hash: 4010f524b550241eba698d9e775b7a3b53b22dcbb18f7faccb250e346c3fcea2
Instruction Fuzzy Hash: 1C118BB1205314ABF7308F54DD09FAABBFCEB00B00F10856DA62AD6591D7B4E904EF60

Function 000CB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000CACD3,?,00008000), ref: 000CB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000CACD3,?,00008000), ref: 000CB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000CACD3,?,00008000), ref: 000CB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000CACD3,?,00008000), ref: 000CB126

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 5459fd1f5e0fc1e5567abdf2069c1f7db6daaa7c477cb0e8e3a9342bf74bcbe5
Instruction ID: 80e779e469754a2f17a7c3aaf3a3bbfd9c893eb04449074dbd2e2369b2698791
Opcode Fuzzy Hash: 5459fd1f5e0fc1e5567abdf2069c1f7db6daaa7c477cb0e8e3a9342bf74bcbe5
Instruction Fuzzy Hash: F5112731C0152CEBDF10AFE4E95ABEEBB78BF4A711F504089D941B2181CB349A60DB52

Function 000F7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000F7E33
ScreenToClient.USER32(?,?), ref: 000F7E4B
ScreenToClient.USER32(?,?), ref: 000F7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000F7E8A

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 5ff0c3d259a1dadb3cd3fabfbe513dce4d49e088f65e3ebc4d8f26e84877ccb3
Instruction ID: 06d8548130eaab2c2adfa220328337298f961cf1bc6ce52f49659471708d69e3
Opcode Fuzzy Hash: 5ff0c3d259a1dadb3cd3fabfbe513dce4d49e088f65e3ebc4d8f26e84877ccb3
Instruction Fuzzy Hash: E81163B9D0420EAFEB41DF98C9859EEBBF5FB08310F104056E915E2610D734AA54DF50

Function 000C2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000C2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 000C2DD6
GetCurrentThreadId.KERNEL32 ref: 000C2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000C2DE4

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: e0f9f6811d951c26235ad82775e9de87d6f3ca5e671b5f241462441ee3fd27d6
Instruction ID: 199666a3dfa32ced5b3f319220816c9bbf05514e21bf3617cf72fe6d353f530a
Opcode Fuzzy Hash: e0f9f6811d951c26235ad82775e9de87d6f3ca5e671b5f241462441ee3fd27d6
Instruction Fuzzy Hash: 96E06D711052287AF7201B629D0EFFB3E6CEF53BA1F000019B106D58809AA88840E6B0

Function 000F8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00079639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00079693
Part of subcall function 00079639: SelectObject.GDI32(?,00000000), ref: 000796A2
Part of subcall function 00079639: BeginPath.GDI32(?), ref: 000796B9
Part of subcall function 00079639: SelectObject.GDI32(?,00000000), ref: 000796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 000F8887
LineTo.GDI32(?,?,?), ref: 000F8894
EndPath.GDI32(?), ref: 000F88A4
StrokePath.GDI32(?), ref: 000F88B2

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f9136e64d1ba1e53d2050ea4e776b1688c9f2d76004d2b2779b2be62ce988591
Instruction ID: 07108abfd8f07f957a29d45999836845b43e50c40dd1754b49a38bc33cdd194d
Opcode Fuzzy Hash: f9136e64d1ba1e53d2050ea4e776b1688c9f2d76004d2b2779b2be62ce988591
Instruction Fuzzy Hash: 83F03A36041259BAFB125F94AD0AFEA3E59AF06324F048100FA11654E2CB795562EBA9

Function 000798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000798CC
SetTextColor.GDI32(?,?), ref: 000798D6
SetBkMode.GDI32(?,00000001), ref: 000798E9
GetStockObject.GDI32(00000005), ref: 000798F1

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: c656cffdb44a4c9adc03ed510ad223b5976dec426b2d2aee1e7eb337e672ddb7
Instruction ID: 0748747fde288b3427b13bd425bebbdd57b12905d3737db65f67d52b8168d03f
Opcode Fuzzy Hash: c656cffdb44a4c9adc03ed510ad223b5976dec426b2d2aee1e7eb337e672ddb7
Instruction Fuzzy Hash: 83E06531244684AAFB215B78AD0AFF83F50FB52336F148219F7F9584E1C3754650EB10

Function 000C162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000C1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,000C11D9), ref: 000C163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000C11D9), ref: 000C1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,000C11D9), ref: 000C164F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 8a66b6be528d8794dda0c51fddf6244b44ea7e552e6ce8db4f99879c18c6ec42
Instruction ID: cfe8f23fde04deb5a4af6251edcffac331981ede51b649e08835eb9f2a95d9db
Opcode Fuzzy Hash: 8a66b6be528d8794dda0c51fddf6244b44ea7e552e6ce8db4f99879c18c6ec42
Instruction Fuzzy Hash: ACE08632601215EBF7601FB09F0EFAA3BBDEF45791F144808F245C9080DA384445D750

Function 000BD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000BD858
GetDC.USER32(00000000), ref: 000BD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000BD882
ReleaseDC.USER32(?), ref: 000BD8A3

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f87c4b4370b6b6fcc4ca9bcff652fc027ccfb3e872ee6c1028c74daa67f85c81
Instruction ID: 54e1e506efc2ffaa7c84a279e26b9fd22f9c90fbdb39b937b82883785ba533ca
Opcode Fuzzy Hash: f87c4b4370b6b6fcc4ca9bcff652fc027ccfb3e872ee6c1028c74daa67f85c81
Instruction Fuzzy Hash: 4EE01AB0804208DFEB519FA0DA09E7DBBB2FB08311F248419E84AE7750CB3C4901EF40

Function 000BD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000BD86C
GetDC.USER32(00000000), ref: 000BD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000BD882
ReleaseDC.USER32(?), ref: 000BD8A3

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9bbcedcd329e225d74b63b145a0f949ba2b88fec4bf9bd69fa95fd7f5cc761b2
Instruction ID: 3ee9698d2d938e046d96e27f0861a3c414458d456e0808765b38b0f9cdf150b5
Opcode Fuzzy Hash: 9bbcedcd329e225d74b63b145a0f949ba2b88fec4bf9bd69fa95fd7f5cc761b2
Instruction Fuzzy Hash: B0E012B0C04208EFEB50AFA0DA09A7DBBB2BB08310B148409E84AE7750CB3C5902EF40

Function 000D4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00067620: _wcslen.LIBCMT ref: 00067625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 000D4ED4

Strings

*, xrefs: 000D4E10
LPT, xrefs: 000D4DFB

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 19cfe721227ece5217e4b4c70034c8b52d275afb67b55fb9f593105710c9d81d
Instruction ID: 4ed4f2414d6f926340514b971545c9471e34864ec354703aa4eae2569286234a
Opcode Fuzzy Hash: 19cfe721227ece5217e4b4c70034c8b52d275afb67b55fb9f593105710c9d81d
Instruction Fuzzy Hash: 3B916175A003449FDB54DF54C484EAABBF1BF44304F1980AAE80A9F362D775ED85CBA1

Function 0008E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0008E30D

Strings

pow, xrefs: 0008E2E5, 0008E302

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: dcf0c1b10de3949e58fd576cd6ae3270e908a002cdd12b1ca7650d16f1d3db18
Instruction ID: 508c4d8f78e930c61111553e5043b133579ff52ec6a5a521730c3c003e4d3e27
Opcode Fuzzy Hash: dcf0c1b10de3949e58fd576cd6ae3270e908a002cdd12b1ca7650d16f1d3db18
Instruction Fuzzy Hash: AB516C62A2D24296CF657714CD053BD3BF4BB50B40F304958F0DA826E9EF348CC5AB46

Function 0007E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0007E1B1

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 1a4bfbc11aa8d59e1682098c56c67faa77e83313311dde4eaea469c42b493f5b
Instruction ID: 9fc77ac493b03877191c90d9b8bde2ae9a11b5aced7ed4f8b61f83636301ab06
Opcode Fuzzy Hash: 1a4bfbc11aa8d59e1682098c56c67faa77e83313311dde4eaea469c42b493f5b
Instruction Fuzzy Hash: 66515535949286EFDB64DF68C0816FE7BE5EF19310F248095EC919B2D2DA349D43CB90

Function 0007F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0007F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0007F2BB

Strings

@, xrefs: 0007F2AF

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 04a2955e948f1e58bfb4218536956870a36dc28f72687359b69138687a1279e3
Instruction ID: 201a8f2ee72d3b233d63f730730478c766d63a727f5238e3234fabacea489db6
Opcode Fuzzy Hash: 04a2955e948f1e58bfb4218536956870a36dc28f72687359b69138687a1279e3
Instruction Fuzzy Hash: 8F517771418745ABE320AF50DC86BABBBF8FF84304F81885CF1D941096EB718569CB67

Function 000E5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 000E57E0
_wcslen.LIBCMT ref: 000E57EC

Strings

CALLARGARRAY, xrefs: 000E57E6, 000E57EB

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 2ee3e5d78fc837a46f0e1ad5531ea9f4d35188b9adb6aec110b58c30e8b1e09f
Instruction ID: 87324b7c01a7eb61b9b67b4003be60de71b96c1304d15c88c6d5bc868fa28255
Opcode Fuzzy Hash: 2ee3e5d78fc837a46f0e1ad5531ea9f4d35188b9adb6aec110b58c30e8b1e09f
Instruction Fuzzy Hash: 9741C031E001099FCB14DFA9C9819FEBBF5EF59315F20412AE505B7252EB349D81CB90

Function 000DD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000DD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 000DD13A

Strings

|, xrefs: 000DD10B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 2358d5b8ca593b45d6c9f12db12896ac7d541ac16ac92761b37b1dced29d2cbb
Instruction ID: 33e67c62895ca13aa0b573f7fd369b7dec2cadaa91aec706bd2de43690900894
Opcode Fuzzy Hash: 2358d5b8ca593b45d6c9f12db12896ac7d541ac16ac92761b37b1dced29d2cbb
Instruction Fuzzy Hash: B3313075D00209ABCF15EFA4CC45AEE7FBAFF04300F00011AF815A6262D732AA05DB60

Function 000F356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 000F3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 000F365C

Strings

static, xrefs: 000F35BC

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 970b04c8e0f5e3002504ebfb991986091eabb8f0f37968e1aff8ad286d8afa92
Instruction ID: 2f2b6937a715905c3ff85d954f117503dc27e73a7b33cbe4f8578eefc381a3cc
Opcode Fuzzy Hash: 970b04c8e0f5e3002504ebfb991986091eabb8f0f37968e1aff8ad286d8afa92
Instruction Fuzzy Hash: 76318F71100608AAEB109F68DC41EFB73A9FF88724F008619FAA5D7291DA35ED81E760

Function 000F4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 000F461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000F4634

Strings

', xrefs: 000F458E

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f001bd73cbf22a0cf70eb6c4691de4f6570f049d9a17cf169148c7e417d57e94
Instruction ID: 928c367476d4968485653368bfd8538fb22c43f7c9c7d5049953991452a34b51
Opcode Fuzzy Hash: f001bd73cbf22a0cf70eb6c4691de4f6570f049d9a17cf169148c7e417d57e94
Instruction Fuzzy Hash: 06311674A00609AFDB14DFA9C980BEA7BB5FF09700F10406AEE04EB752D771A941DF90

Function 000F31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000F327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000F3287

Strings

Combobox, xrefs: 000F3249

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6a7ce64e5950235d6bc3257cf2fa726387781c339a59c0148172775054d6e019
Instruction ID: d428d4889b4b13a395ffd8dae390cb1cead186eea74f00e5ee8c6874a72678b3
Opcode Fuzzy Hash: 6a7ce64e5950235d6bc3257cf2fa726387781c339a59c0148172775054d6e019
Instruction Fuzzy Hash: 5911B27130020C7FFFA59E54DC81EFB37AAEB94364F104125FA1897691D6319D51A760

Function 000F3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0006600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0006604C
Part of subcall function 0006600E: GetStockObject.GDI32(00000011), ref: 00066060
Part of subcall function 0006600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0006606A

GetWindowRect.USER32(00000000,?), ref: 000F377A
GetSysColor.USER32(00000012), ref: 000F3794

Strings

static, xrefs: 000F3757

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 83cb478c9994585473b12ee3b7559dc527dc5a300d077153601bd96da90cb1c1
Instruction ID: c1dfa06a7f1ba0c1b52f10b459be98e2f10057a4547d70bddb670b5787f403dc
Opcode Fuzzy Hash: 83cb478c9994585473b12ee3b7559dc527dc5a300d077153601bd96da90cb1c1
Instruction Fuzzy Hash: AF1117B2610209AFEB10EFA8CC46EFA7BF8FB08314F004914FA55E2250D735E851EB50

Function 000DCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000DCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000DCDA6

Strings

<local>, xrefs: 000DCD66

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 12731f44a2321fd7971b5a29a98c89c5a32c666240588c9dc32de052399c70d0
Instruction ID: 429ae612851e2165cb56cc926b456d6059cf88dc599d3ba57896d91b92400862
Opcode Fuzzy Hash: 12731f44a2321fd7971b5a29a98c89c5a32c666240588c9dc32de052399c70d0
Instruction Fuzzy Hash: 7611C6712057367AF7784B668C45EF7BEAEEF127A4F004227B10983280D7749840D6F0

Function 000F3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 000F34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000F34BA

Strings

edit, xrefs: 000F348F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 201ff010e1d4442fa63e05ec665acbf196939186abc040a2f10ee90148d4aba7
Instruction ID: 2ffffff9496e0ad684f559b5b7c6d492b907a99b9f49c148ea2767e777c3ef34
Opcode Fuzzy Hash: 201ff010e1d4442fa63e05ec665acbf196939186abc040a2f10ee90148d4aba7
Instruction Fuzzy Hash: CC116A7110020CAAEB628E64DC45AFB37AAEB05774F504724FA61979E0C775FC91AB60

Function 000C6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

CharUpperBuffW.USER32(?,?,?), ref: 000C6CB6
_wcslen.LIBCMT ref: 000C6CC2

Strings

STOP, xrefs: 000C6CBC, 000C6CC1

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 1a42f93ae4a18cea56b0b7aaebb13a022d3524e771618fa5f5c262737d7424c1
Instruction ID: 857d7b209789e51953a950707de9b8397feafd5840364b9a260b36cbf0af6e3d
Opcode Fuzzy Hash: 1a42f93ae4a18cea56b0b7aaebb13a022d3524e771618fa5f5c262737d7424c1
Instruction Fuzzy Hash: DA01C032A005268BCB30AFFDDD81EBF77EAEB61720B50052CE86297195EB33D900C650

Function 000C1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000C3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000C1D4C

Strings

ListBox, xrefs: 000C1D16
ComboBox, xrefs: 000C1CEB

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7956a0ff3489a3174ee9d5c9e4b6a510f75ceaf60f4a4e2c66714c601848cc03
Instruction ID: 5798400ad5a7969e1328015505db5b1a9fbf588539b5543e4de77c980e00cfbe
Opcode Fuzzy Hash: 7956a0ff3489a3174ee9d5c9e4b6a510f75ceaf60f4a4e2c66714c601848cc03
Instruction Fuzzy Hash: AC01D871601218ABCB14EBA4CD51EFE73A9EB57360B14091DF823572C3EA309918D760

Function 000C1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000C3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 000C1C46

Strings

ListBox, xrefs: 000C1C10
ComboBox, xrefs: 000C1BE5

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7d207553ccd11ce1ed9226920c91153e6ee91f8a7e97e8514d4c71abc6c2bb61
Instruction ID: 681bae89dfeca2ce6dbe465ab1b9d297e73d872b563c02206ad86f8dbb992f79
Opcode Fuzzy Hash: 7d207553ccd11ce1ed9226920c91153e6ee91f8a7e97e8514d4c71abc6c2bb61
Instruction Fuzzy Hash: 2901A7756811086BDB14EB90CA92FFF77EE9B12340F14001DB41667683EA349E18E7B1

Function 000C1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000C3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 000C1CC8

Strings

ListBox, xrefs: 000C1C94
ComboBox, xrefs: 000C1C69

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8f452c1a09694aa727b1fc9e1b9a48e38e0447394ca3528252842c54a145c4c3
Instruction ID: 0d4eca5e398029f7a34ccbbe27d5b1727a447d2901111547bc1afd32e8256f0d
Opcode Fuzzy Hash: 8f452c1a09694aa727b1fc9e1b9a48e38e0447394ca3528252842c54a145c4c3
Instruction Fuzzy Hash: 9701D6716801186BDB14FBA0DB92FFE73ED9B12340F540029B802B3683EA309F18D671

Function 000C1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000C3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 000C1DD3

Strings

ListBox, xrefs: 000C1DA0
ComboBox, xrefs: 000C1D75

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 61fb6b1e0d78348e00a84c09acd51f74896eeb1a06bbe807ffb24f05d451890a
Instruction ID: 5bf6d0e6e03f2e829f4bcf131f15a1fdfa72a88ef27b7bee6bc2098d20a172ec
Opcode Fuzzy Hash: 61fb6b1e0d78348e00a84c09acd51f74896eeb1a06bbe807ffb24f05d451890a
Instruction Fuzzy Hash: 76F0A471A512186BDB14F7A4DD92FFE77ADAB12350F440919B822A36C3DA7059189260

Function 000E747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000E7493
_wcslen.LIBCMT ref: 000E74B9

Strings

3, 3, 16, 1, xrefs: 000E7483

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b565fe26ae41198ac76b42bd713a8837cd6e40fe3c26bea74980d5b07350427b
Instruction ID: 8d0bf6dd5bccb80d0e82d2415c3d47eb8c6c9f6c15127ad1e8bf99a27f99520e
Opcode Fuzzy Hash: b565fe26ae41198ac76b42bd713a8837cd6e40fe3c26bea74980d5b07350427b
Instruction Fuzzy Hash: 4DE02B42205261149271227BACC19BF56C9EFD9750710182BF9CDD22E7EB94CD9193A0

Function 000C0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000C0B23

Strings

Error allocating memory., xrefs: 000C0B1C
AutoIt, xrefs: 000C0B17

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 8d1fac3664c42cbd5b204038552e837aacf4f63de36af3f0b54ce36fa938a891
Instruction ID: 3387ab10f000ab94d032b9997dafcb1df8523559312a2fb0ba61ecaa7824145f
Opcode Fuzzy Hash: 8d1fac3664c42cbd5b204038552e837aacf4f63de36af3f0b54ce36fa938a891
Instruction Fuzzy Hash: EFE0D83128831D3AE21037547D03FD97A858F05B14F10442AF788958C38BE6289096ED

Function 00080D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0007F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00080D71,?,?,?,0006100A), ref: 0007F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0006100A), ref: 00080D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0006100A), ref: 00080D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00080D7F

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ee37cae3e9330cc9562324a33fe05d66f6276ebf3148b1de264cfbfd04d3a039
Instruction ID: 4fb12da085004ee482f0a877fbacfac3341818266ea1e27add52d165f7743027
Opcode Fuzzy Hash: ee37cae3e9330cc9562324a33fe05d66f6276ebf3148b1de264cfbfd04d3a039
Instruction Fuzzy Hash: 1BE06D742003028BE3A0AFB8D5047A27BE4BF00744F04892DE486C6A52DBB9E448DBA1

Function 000D3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 000D302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 000D3044

Strings

aut, xrefs: 000D3038

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 50f56ceee93c81fb4dfb8308073d9bf8d853e7cd645a21f7b431b31fbe82c571
Instruction ID: 3a1421bae82cd2b63e75b90ea1f79ab6b30817f37541cc53b7b522f1a4d5f1c6
Opcode Fuzzy Hash: 50f56ceee93c81fb4dfb8308073d9bf8d853e7cd645a21f7b431b31fbe82c571
Instruction Fuzzy Hash: 8AD05E72500328A7EA60E7A4AD0EFDB3A6CDB04750F0002A1B655E20D2DAB49984CAD0

Function 000BD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000BD220

Strings

X64, xrefs: 000BD2A8
%.3d, xrefs: 000BD22B

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 06cb30541b42a1dbf4ce4230cd5aa37012dfde06a3884fbbe4d377ae44113f7a
Instruction ID: 7dfab4fbe80939475252e42edff810ce0aef6835ba2e9db03a094866812fa09c
Opcode Fuzzy Hash: 06cb30541b42a1dbf4ce4230cd5aa37012dfde06a3884fbbe4d377ae44113f7a
Instruction Fuzzy Hash: BCD01261C09159E9CBA097D0DC459FEF37CFB28301F508463F90A91040F728C908AB61

Function 000F2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000F232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 000F233F

Part of subcall function 000CE97B: Sleep.KERNEL32 ref: 000CE9F3

Strings

Shell_TrayWnd, xrefs: 000F2325

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 051c0228c68ddf86af2e2a4e4224fee90c0b0f00690a3b6d58ba4be496c97f2c
Instruction ID: 686102af924ec0d0d91d6723a24e3e4d16135dcd87d190c552f04cf29c61b715
Opcode Fuzzy Hash: 051c0228c68ddf86af2e2a4e4224fee90c0b0f00690a3b6d58ba4be496c97f2c
Instruction Fuzzy Hash: BBD01276394354B7F664B770ED0FFDA7A149B00B10F0049167745EA5D1C9F4A851CA54

Function 000F2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000F236C
PostMessageW.USER32(00000000), ref: 000F2373

Part of subcall function 000CE97B: Sleep.KERNEL32 ref: 000CE9F3

Strings

Shell_TrayWnd, xrefs: 000F2365

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: afd904828f682fed2b99ed1f2f321a0661f3ffcffc7e6b9b491a01fd1311b419
Instruction ID: 20046037576fbb4a2ee798bd458a04cc0b660d101a9f63274855d78deabbfa44
Opcode Fuzzy Hash: afd904828f682fed2b99ed1f2f321a0661f3ffcffc7e6b9b491a01fd1311b419
Instruction Fuzzy Hash: EED022323C03107BF264B330EC0FFCA76149B00B00F0009167301EA0D0C9F4B800CA04

Function 0009BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0009BE93
GetLastError.KERNEL32 ref: 0009BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0009BEFC

Memory Dump Source

Source File: 00000000.00000002.1504633372.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.1504018791.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506273192.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506835093.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1506947378.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 6a705b7372f4154614d470628bf4fa2d4363a32d8fb6767160ed453e5d20ed37
Instruction ID: dcb463c177ec8af6f094379d07d4e47f8635bcf012cb16424d89f92b6bee6439
Opcode Fuzzy Hash: 6a705b7372f4154614d470628bf4fa2d4363a32d8fb6767160ed453e5d20ed37
Instruction Fuzzy Hash: 5341D43460420AEFDF319F64EE64ABABBE9EF42330F144169F959971A1DB308D00EB50

Analysis Process: firefox.exePID: 7252, Parent PID: 3872COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000253BDA6B532 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00000253BDA6B597

Strings

>, xrefs: 00000253BDA6F63F
A, xrefs: 00000253BDA6B58F
>, xrefs: 00000253BDA6C39C
>, xrefs: 00000253BDA6B5F9
#, xrefs: 00000253BDA6B5C2
4, xrefs: 00000253BDA6F619
z, xrefs: 00000253BDA6B5CB
#, xrefs: 00000253BDA69905
z, xrefs: 00000253BDA6CB76
#, xrefs: 00000253BDA6C671

Memory Dump Source

Source File: 00000012.00000002.2690251408.00000253BDA69000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000253BDA69000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_253bda69000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: d0443b771a6f5658878b58a9fdc27eb16de7f37e094264892988889993aec935
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: 51A3F431618E488BDB2DDF28CC857A977E5FB98705F14422ED84BC7295DF34EA028B85

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 52.222.236.80 52.222.236.80
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.1553194946.000001957388E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1644781896.0000019575F2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1667070292.0000019575F30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1631197868.0000019575FDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1521213752.000001956B77B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1646259208.000001956E118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1521213752.000001956B77B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1646259208.000001956E118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1633923369.00000195734A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1644781896.0000019575F2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1657324881.00000195734A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1631197868.0000019575FDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1675938723.000001956CA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1675938723.000001956CA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1521213752.000001956B77B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1646259208.000001956E118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1521213752.000001956B77B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1646259208.000001956E118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2687050748.00000253BD403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2686966928.000001EECD30C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2687050748.00000253BD403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2686966928.000001EECD30C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1677196155.000001956C692000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2687050748.00000253BD403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2686966928.000001EECD30C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1631197868.0000019575FDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://89c83477-7a1a-4f5a-bda8-ef3858d4c7d0/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1633923369.00000195734A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1644781896.0000019575F2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1657324881.00000195734A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1631197868.0000019575FDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1663672175.0000019573D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1633923369.00000195734A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1657324881.00000195734A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1654621028.0000019573463000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.80:443 -> 192.168.2.8:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.32.110:443 -> 192.168.2.8:63563 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:63569 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:63571 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:63568 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:63567 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:63567 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:63566 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:63570 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:63573 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:63572 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.32.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.32.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.32.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.32.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.32.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.32.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.32.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.32.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.32.110
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63571
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63570
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63572 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63569
Source: unknown	Network traffic detected: HTTP traffic on port 63569 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63564
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63563
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63566
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63568
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63567
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63573
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63572
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 63566 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63564 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63570 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63573 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 63567 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 63672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 63563 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63571 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63568 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63672
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c34f7ffa-8b78-4b9e-b500-910b29bb531a.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c34f7ffa-8b78-4b9e-b500-910b29bb531a.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre