Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1540725
MD5:	6e9c01e11d3d6dfe9c42e1ba38ee91a7
SHA1:	f14d45e2c3b3592f0243417aabea545f037d7f0e
SHA256:	26fb164dc6780f4292aa09a9eba48df263efe8cdf1b82a1ea2f9aaff811689ac
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6E9C01E11D3D6DFE9C42E1BA38EE91A7)

taskkill.exe (PID: 7504 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7680 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7744 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7800 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7876 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7944 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7976 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7992 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1792 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4de06ef4-7b42-4cc5-b75b-16175537487e} 7992 "\\.\pipe\gecko-crash-server-pipe.7992" 1eb47a6f510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7804 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 4124 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c009cfd6-4e48-44af-ba60-856a4eeb6978} 7992 "\\.\pipe\gecko-crash-server-pipe.7992" 1eb59ad6c10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1100 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4992 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4984 -prefMapHandle 4980 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77f7aa6d-255c-483f-8a66-dc6825b39511} 7992 "\\.\pipe\gecko-crash-server-pipe.7992" 1eb617f6910 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1357074632.00000000011F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 7488	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_001AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001AEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001AED6A

Source: C:\Users\user\Desktop\file.exe

0_2_001AEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0019AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0019AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_001C9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1293849053.00000000001F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2196984d-9
Source: file.exe, 00000000.00000000.1293849053.00000000001F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8d7e9758-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b0e15736-0
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5548d267-9

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_0000028E89DF4F77 NtQuerySystemInformation,		19_2_0000028E89DF4F77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_0000028E8A3A6232 NtQuerySystemInformation,		19_2_0000028E8A3A6232

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0019D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0019D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00191201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00191201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0019E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0019E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0013BF40	0_2_0013BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A2046	0_2_001A2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00138060	0_2_00138060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00198298	0_2_00198298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016E4FF	0_2_0016E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016676B	0_2_0016676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C4873	0_2_001C4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015CAA0	0_2_0015CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0013CAF0	0_2_0013CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014CC39	0_2_0014CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00166DD9	0_2_00166DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014B119	0_2_0014B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001391C0	0_2_001391C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00151394	0_2_00151394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00151706	0_2_00151706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015781B	0_2_0015781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00137920	0_2_00137920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014997D	0_2_0014997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001519B0	0_2_001519B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00157A4A	0_2_00157A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00151C77	0_2_00151C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00157CA7	0_2_00157CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001BBE44	0_2_001BBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00169EEE	0_2_00169EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00151F32	0_2_00151F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_0000028E89DF4F77	19_2_0000028E89DF4F77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_0000028E8A3A6232	19_2_0000028E8A3A6232
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_0000028E8A3A695C	19_2_0000028E8A3A695C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_0000028E8A3A6272	19_2_0000028E8A3A6272

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00139CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00150A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0014F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001A37B5 GetLastError,FormatMessageW,

0_2_001A37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001910BF AdjustTokenPrivileges,CloseHandle,		0_2_001910BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001916C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001A51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001A51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0019D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0019D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001A648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_001A648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001342A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000F.00000003.1495385891.000001EB5B447000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000F.00000003.1490871039.000001EB637F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1492626708.000001EB637F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4de06ef4-7b42-4cc5-b75b-16175537487e} 7992 "\\.\pipe\gecko-crash-server-pipe.7992" 1eb47a6f510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 4124 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c009cfd6-4e48-44af-ba60-856a4eeb6978} 7992 "\\.\pipe\gecko-crash-server-pipe.7992" 1eb59ad6c10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4992 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4984 -prefMapHandle 4980 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77f7aa6d-255c-483f-8a66-dc6825b39511} 7992 "\\.\pipe\gecko-crash-server-pipe.7992" 1eb617f6910 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4de06ef4-7b42-4cc5-b75b-16175537487e} 7992 "\\.\pipe\gecko-crash-server-pipe.7992" 1eb47a6f510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 4124 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c009cfd6-4e48-44af-ba60-856a4eeb6978} 7992 "\\.\pipe\gecko-crash-server-pipe.7992" 1eb59ad6c10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4992 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4984 -prefMapHandle 4980 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77f7aa6d-255c-483f-8a66-dc6825b39511} 7992 "\\.\pipe\gecko-crash-server-pipe.7992" 1eb617f6910 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.15.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000F.00000003.1455754041.000001EB5728E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000F.00000003.1454436942.000001EB57284000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1453621227.000001EB57249000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000F.00000003.1455754041.000001EB5728E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000F.00000003.1454436942.000001EB57284000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1453621227.000001EB57249000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.15.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001342DE

Source: gmpopenh264.dll.tmp.15.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00150A76 push ecx; ret

0_2_00150A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0014F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001C1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97801

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 19_2_0000028E89DF4F77 rdtsc

19_2_0000028E89DF4F77

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0019DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016C2A2 FindFirstFileExW,	0_2_0016C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A68EE FindFirstFileW,FindClose,	0_2_001A68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001A698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0019D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0019D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001A9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001A979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001A9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001A5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001342DE

Source: firefox.exe, 00000011.00000002.2560341618.000001FA4EA00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: firefox.exe, 00000011.00000002.2556400579.000001FA4E60A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2554326226.0000028E8999A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2559636972.0000028E8A290000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2559291995.000001BE35D40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000011.00000002.2559745477.000001FA4E91C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.2560341618.000001FA4EA00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: firefox.exe, 00000014.00000002.2554879216.000001BE3589A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP<
Source: firefox.exe, 00000013.00000002.2559636972.0000028E8A290000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: firefox.exe, 00000011.00000002.2560341618.000001FA4EA00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2559636972.0000028E8A290000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 19_2_0000028E89DF4F77 rdtsc

19_2_0000028E89DF4F77

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001AEAA2 BlockInput,

0_2_001AEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00162622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00162622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00154CE8 mov eax, dword ptr fs:[00000030h]

0_2_00154CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00190B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00190B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00162622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00162622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0015083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001509D5 SetUnhandledExceptionFilter,	0_2_001509D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00150C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00150C21

Source: C:\Users\user\Desktop\file.exe

0_2_00191201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00172BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00172BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0019B226 SendInput,keybd_event,

0_2_0019B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001B22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00190B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00191663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00191663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000F.00000003.1420254579.000001EB63D51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00150698 cpuid

0_2_00150698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001A8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_001A8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0018D27A GetUserNameW,

0_2_0018D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0016B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0016B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001342DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1357074632.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1357074632.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_001B1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001B1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mathiasbynens.be/	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.186.174	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	216.58.212.142	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678942	firefox.exe, 0000000F.00000003.1403401773.000001EB57E0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000014.00000002.2556250685.000001BE35CC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000F.00000003.1540400990.000001EB5A013000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.15.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000F.00000003.1466577956.000001EB5B536000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1371021459.000001EB5B53D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000014.00000002.2556250685.000001BE35C8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000F.00000003.1510734305.000001EB5FE60000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000F.00000003.1370574559.000001EB59473000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000F.00000003.1494167130.000001EB5B6B5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mathiasbynens.be/notes/javascript-escapes#single	firefox.exe, 0000000F.00000003.1453261528.000001EB648BC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000F.00000003.1504280101.000001EB58E80000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000F.00000003.1343095707.000001EB57683000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342454096.000001EB57622000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342210572.000001EB57400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342903686.000001EB57663000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342722978.000001EB57642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000F.00000003.1501139440.000001EB5A1DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1515345632.000001EB5A1DF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000F.00000003.1343095707.000001EB57683000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342454096.000001EB57622000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342210572.000001EB57400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342903686.000001EB57663000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1476927832.000001EB58B62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342722978.000001EB57642000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000F.00000003.1496884888.000001EB5B305000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1533958093.000001EB5B305000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000F.00000003.1342454096.000001EB57622000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342210572.000001EB57400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342903686.000001EB57663000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342722978.000001EB57642000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000F.00000003.1515345632.000001EB5A1DF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=htr	firefox.exe, 00000014.00000002.2558970091.000001BE35D30000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000F.00000003.1539348998.000001EB5FE42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000F.00000003.1510734305.000001EB5FE60000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 0000000F.00000003.1491128324.000001EB634C7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=htg	firefox.exe, 00000011.00000002.2556063482.000001FA4E5F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000F.00000003.1511712743.000001EB5FC4F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000F.00000003.1494167130.000001EB5B6B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2556971042.0000028E89E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2556250685.000001BE35C0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000F.00000003.1402192846.000001EB57E21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000F.00000003.1494167130.000001EB5B6E7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000014.00000002.2556250685.000001BE35CC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000F.00000003.1403401773.000001EB57E21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1402726804.000001EB57E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1402192846.000001EB57E21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1404577592.000001EB57E22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1403401773.000001EB57E0C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000F.00000003.1492964822.000001EB617C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.15.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000F.00000003.1504280101.000001EB58E80000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000011.00000002.2557195207.000001FA4E8C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2556971042.0000028E89EE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2559498714.000001BE35F03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.15.dr	false	URL Reputation: safe	unknown
https://youtube.com/account?=ht;	firefox.exe, 00000013.00000002.2555575054.0000028E89D60000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/	firefox.exe, 0000000F.00000003.1494167130.000001EB5B6B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2556971042.0000028E89E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2556250685.000001BE35C13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000F.00000003.1513776924.000001EB58E48000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000F.00000003.1501139440.000001EB5A1DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1515345632.000001EB5A1DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000F.00000003.1510734305.000001EB5FE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1538352269.000001EB5FE8D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000F.00000003.1403401773.000001EB57E0C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000F.00000003.1371021459.000001EB5B598000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1401409139.000001EB57CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1465883427.000001EB58AE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1481863018.000001EB6485E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1527883957.000001EB58B85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1475594561.000001EB587A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1481863018.000001EB64867000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1539570690.000001EB5B621000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1487577129.000001EB57CC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1456064571.000001EB56E9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1505094286.000001EB64865000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1533958093.000001EB5B33F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1396363351.000001EB57CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1463887159.000001EB57CC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1506827007.000001EB56E98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1454028081.000001EB57A97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1501139440.000001EB5A1DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1496491180.000001EB5B3D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1477399611.000001EB587AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1453261528.000001EB648C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1528256963.000001EB56E99000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000F.00000003.1496884888.000001EB5B305000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1533958093.000001EB5B305000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000F.00000003.1501139440.000001EB5A129000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1515345632.000001EB5A129000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000F.00000003.1496884888.000001EB5B305000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1533958093.000001EB5B305000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.15.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1496491180.000001EB5B3D6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504781363.000001EB58DA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1494666992.000001EB5B4F6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504781363.000001EB58DA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1494666992.000001EB5B4F6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000F.00000003.1510734305.000001EB5FE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1538352269.000001EB5FE8D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000F.00000003.1466577956.000001EB5B536000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1371021459.000001EB5B53D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000F.00000003.1517159180.000001EB5FC4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1370574559.000001EB59473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1511712743.000001EB5FC4F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000F.00000003.1510734305.000001EB5FE5B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000F.00000003.1520245883.000001EB56E39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1345206143.000001EB56E33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000F.00000003.1403401773.000001EB57E0C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000F.00000003.1504618406.000001EB58DCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1536349605.000001EB58DCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1540465676.000001EB58DCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1514011420.000001EB58DCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1519433888.000001EB58DCF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mathiasbynens.be/	firefox.exe, 0000000F.00000003.1453261528.000001EB648BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000F.00000003.1500273212.000001EB5A28B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000F.00000003.1403933063.000001EB57C8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1402192846.000001EB57E21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1403401773.000001EB57E0C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1404353349.000001EB57C7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1402726804.000001EB57E9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1403933063.000001EB57C9A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000F.00000003.1520245883.000001EB56E39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1345206143.000001EB56E33000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000F.00000003.1494167130.000001EB5B6B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000F.00000003.1370574559.000001EB59473000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000F.00000003.1539873505.000001EB5B447000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000F.00000003.1342722978.000001EB57642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000F.00000003.1513776924.000001EB58E48000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000F.00000003.1510734305.000001EB5FEA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342210572.000001EB57400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342903686.000001EB57663000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1476927832.000001EB58B62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1342722978.000001EB57642000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000F.00000003.1501139440.000001EB5A1DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1515345632.000001EB5A1DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 00000011.00000002.2556858840.000001FA4E640000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2555875408.0000028E89D70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2555664563.000001BE35900000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	firefox.exe, 00000011.00000002.2557195207.000001FA4E8C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2556971042.0000028E89EE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2559498714.000001BE35F03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.15.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.174	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540725
Start date and time:	2024-10-24 02:49:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@68/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.231.229.39, 52.13.186.250, 34.208.54.237, 142.250.185.138, 142.250.184.202, 142.250.186.170, 142.250.185.238, 2.22.61.59, 2.22.61.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
20:50:21	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	https://www.ccleaner.com/	Get hash	malicious	Unknown	Browse	157.240.252.35
	https://jpbelgi.com/	Get hash	malicious	Unknown	Browse	157.240.253.35
	https://freshremovedigital.com/	Get hash	malicious	Unknown	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	https://www.ccleaner.com/	Get hash	malicious	Unknown	Browse	34.117.223.223
	https://download.ccleaner.com/portable/ccsetup629.zip	Get hash	malicious	Unknown	Browse	34.117.223.223
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	51.243.239.106
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	57.160.15.55
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	33.39.20.76
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	51.3.71.36
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	48.99.221.207
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	48.72.1.106
	https://www.ccleaner.com/	Get hash	malicious	Unknown	Browse	34.160.176.28
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://www.ccleaner.com/	Get hash	malicious	Unknown	Browse	151.101.194.132
	Douglas County Government.pdf	Get hash	malicious	Unknown	Browse	151.101.129.140
	https://jpbelgi.com/	Get hash	malicious	Unknown	Browse	199.232.188.159
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://go.board.com/u/MDYzLVhVUC03MjQAAAGWWmuBSHLu2qnjT2fd3i42hMc8hwQGFhiaAKjDUUamE35KumMEYtASBjkNxUKrq50VZoODfB4=	Get hash	malicious	Unknown	Browse	151.101.1.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://www.amalkongsirezeki20245.org-now.info/	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://www.paypal.com/invoice/payerView/details/INV2-N92X-T2Z2-AHQ9-TKQH?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000238&utm_unptid=3863e735-915a-11ef-98e8-79ac3b3090e7&ppid=RT000238&cnac=US&rsta=en_US%28en-US%29&unptid=3863e735-915a-11ef-98e8-79ac3b3090e7&calc=f264059569334&unp_tpcid=invoice-buyer-notification&page=main%3Aemail%3ART000238&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.287.1&tenant_name=&xt=145585%2C134644%2C150948%2C104038&link_ref=details_inv2-n92x-t2z2-ahq9-tkqh	Get hash	malicious	Unknown	Browse	151.101.67.1
ATGS-MMD-ASUS	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	51.243.239.106
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	57.160.15.55
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	33.39.20.76
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	51.3.71.36
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	48.99.221.207
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	48.72.1.106
	https://www.ccleaner.com/	Get hash	malicious	Unknown	Browse	34.160.176.28

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_624a379a-9541-4898-b5f3-64994def33a0.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.177281331552478
Encrypted:	false
SSDEEP:	192:dMvMXsuBcbhbVbTbfbRbObtbyEl7nQrjJA6unSrDtTkd/S9l3:dFRcNhnzFSJwr61nSrDhkd/cl3
MD5:	65EF4FA7C723A67D95C5A5DC175862BD
SHA1:	BA6E3C9E4D53949194678FC404C1144CAA02A902
SHA-256:	AD9470BBA6AA0DEAE9AE3DF817C6ED4DE47CE5C7DFB70E50C37E8E4BCE77E20A
SHA-512:	56D081991C689C05F63630D09694B563F806EB1A4D0E1378456A3CEA33279BD8BC94E9E69D24FB3F2219C8CECB878931169FA7469FE61817F0FFDFEBCC26A829
Malicious:	false
Preview:	{"type":"uninstall","id":"624a379a-9541-4898-b5f3-64994def33a0","creationDate":"2024-10-24T02:40:53.404Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_624a379a-9541-4898-b5f3-64994def33a0.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.177281331552478
Encrypted:	false
SSDEEP:	192:dMvMXsuBcbhbVbTbfbRbObtbyEl7nQrjJA6unSrDtTkd/S9l3:dFRcNhnzFSJwr61nSrDhkd/cl3
MD5:	65EF4FA7C723A67D95C5A5DC175862BD
SHA1:	BA6E3C9E4D53949194678FC404C1144CAA02A902
SHA-256:	AD9470BBA6AA0DEAE9AE3DF817C6ED4DE47CE5C7DFB70E50C37E8E4BCE77E20A
SHA-512:	56D081991C689C05F63630D09694B563F806EB1A4D0E1378456A3CEA33279BD8BC94E9E69D24FB3F2219C8CECB878931169FA7469FE61817F0FFDFEBCC26A829
Malicious:	false
Preview:	{"type":"uninstall","id":"624a379a-9541-4898-b5f3-64994def33a0","creationDate":"2024-10-24T02:40:53.404Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.943060359642825
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBL6zB8P:8S+Oc+UAOdwiOdKeQjDL6zB8P
MD5:	E7BBEFC92EA97FB81E24923891E56F4D
SHA1:	C6BB6746DF9B7CE73E5BEC8666FC4973CBE3FF85
SHA-256:	9513EECEAE0D6AB496295F830EFCF007D3D2ED2542AB03B0643629EFF49D5D48
SHA-512:	10A24602F65A6C7F74A5CA00061D99CEC6C029638EAD216CF7C65AE8097399428D8ECCFB13AF894A4FAE48457735E2D6FA7FF5B5A91B2F9625E9EA5EA0E79600
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.943060359642825
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBL6zB8P:8S+Oc+UAOdwiOdKeQjDL6zB8P
MD5:	E7BBEFC92EA97FB81E24923891E56F4D
SHA1:	C6BB6746DF9B7CE73E5BEC8666FC4973CBE3FF85
SHA-256:	9513EECEAE0D6AB496295F830EFCF007D3D2ED2542AB03B0643629EFF49D5D48
SHA-512:	10A24602F65A6C7F74A5CA00061D99CEC6C029638EAD216CF7C65AE8097399428D8ECCFB13AF894A4FAE48457735E2D6FA7FF5B5A91B2F9625E9EA5EA0E79600
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07320363929146964
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	BA34C153ABF503341FC01B8A5B7ACF1C
SHA1:	06D2450946535AA1985B19C4681A530EF8BA4570
SHA-256:	584EC894557C893852118DCE7A79827FB038C0BCA13A177E2B8EBB8183A3248A
SHA-512:	05A6370660CCAA576B3931AB753A065AB3C5893BFD2D475B0040AFD73EF80C5774F83D5F00F51EDBAAC0D175D77393FB27472D2EE18081D885DE5BF3360C7A93
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03512533380918114
Encrypted:	false
SSDEEP:	3:GtlstFn3iJp5O09KmIltlstFn3iJp5O09Kc/L89//alEl:GtWt0Xn9KXltWt0Xn9K8L89XuM
MD5:	0AAFD2567EFFDAE1E9573AF77265A12E
SHA1:	0DC2006D6F7255B1581038F00FFC8B12DDA39D36
SHA-256:	23CD23F28F16BE3B4D1F52AA973EA7C61B5C5029CB0E34B379FB7C0BDD7E9AD8
SHA-512:	F9ADA7BA1484CD1A76C4409A6E64879098B50E74083332C88CEEE1676F3C978BCC964A3065D930FF5A70626E08E0A955FD4E62C35E2ABB16F178A57E100D9176
Malicious:	false
Preview:	..-.....................0.}..,.N...0.c.e8...c./...-.....................0.}..,.N...0.c.e8...c./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03946012033960926
Encrypted:	false
SSDEEP:	3:Ol1wQ/ItKC9tl8rEXsxdwhml8XW3R2:KH/QKCLl8dMhm93w
MD5:	C54054015EA25DB820921CA829B93A54
SHA1:	9F3F467D315EB635DDA20A9F3F5FA45642BDC7DF
SHA-256:	CB84A60246C9CF6559F1740C3449884852B320816E5D0A5B5CDDB8B472A3D170
SHA-512:	35B5600593CBF90FCEBE67CE68FFF483BB16C55199DE3A4BA0A9B112D673DC27CF97DE2030EFFB8059B27F14E65A6E1AFA263D7CE25BA130991CF5564E2316C8
Malicious:	false
Preview:	7....-.............0.c.e....$.>............0.c.e.}.0N.,.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	modified
Size (bytes):	13214
Entropy (8bit):	5.478140055598312
Encrypted:	false
SSDEEP:	192:lWQnSRkyYbBp63qUCaXc6ViGEeN6rc5RHNBw8dFnSl:eeEqU3SK6oPwS0
MD5:	C6F2705CC10E615662AC85C8D4719695
SHA1:	B04EB3C8E1663E2521B4D2B66A3D5AC13F6CACFD
SHA-256:	82268C8CCAD041F46A2D9B515B73E4AA39142FCD7D60C065D9DFC661D3FF9DD1
SHA-512:	5B5D5D95313176DB9DF71F525E6DF07855C6244F1AF838AE7F575250F088BAB5B3DB79BC523F9BF06329C8AA77A005E7BFF0198D2E74824528C4882E9AE62F8D
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729737624);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729737624);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729737624);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172973

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.478140055598312
Encrypted:	false
SSDEEP:	192:lWQnSRkyYbBp63qUCaXc6ViGEeN6rc5RHNBw8dFnSl:eeEqU3SK6oPwS0
MD5:	C6F2705CC10E615662AC85C8D4719695
SHA1:	B04EB3C8E1663E2521B4D2B66A3D5AC13F6CACFD
SHA-256:	82268C8CCAD041F46A2D9B515B73E4AA39142FCD7D60C065D9DFC661D3FF9DD1
SHA-512:	5B5D5D95313176DB9DF71F525E6DF07855C6244F1AF838AE7F575250F088BAB5B3DB79BC523F9BF06329C8AA77A005E7BFF0198D2E74824528C4882E9AE62F8D
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729737624);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729737624);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729737624);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172973

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.334533094559042
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSdLXnIgVf/pnxQwRlszT5sKhik3eHVVPNZT/Aamhuj3pOOcUb2mifj:GUpOxsdZnR6B3etZTI45edHd
MD5:	AB4E5D067270E67251609E080C7A59A5
SHA1:	572613B950074BBDF0BBB78C8EA42A7ECA912F72
SHA-256:	47DCF3052A1DB9F0FE8F201CB167CB6991D46AA7EF7678D51F68F3FD0695A31F
SHA-512:	0081F6D9DF624A02F6E10EB00F97EE64A3F470397EB90F390C7F560B85975F05054AF7331F1BCA223FE3F5A11FF5742B7C352B144AD8BB501E1AC8AAD9CF14EF
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{f47ec72d-2783-48a3-ac39-9af36996b213}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729737628233,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`593182...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....598861,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.334533094559042
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSdLXnIgVf/pnxQwRlszT5sKhik3eHVVPNZT/Aamhuj3pOOcUb2mifj:GUpOxsdZnR6B3etZTI45edHd
MD5:	AB4E5D067270E67251609E080C7A59A5
SHA1:	572613B950074BBDF0BBB78C8EA42A7ECA912F72
SHA-256:	47DCF3052A1DB9F0FE8F201CB167CB6991D46AA7EF7678D51F68F3FD0695A31F
SHA-512:	0081F6D9DF624A02F6E10EB00F97EE64A3F470397EB90F390C7F560B85975F05054AF7331F1BCA223FE3F5A11FF5742B7C352B144AD8BB501E1AC8AAD9CF14EF
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{f47ec72d-2783-48a3-ac39-9af36996b213}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729737628233,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`593182...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....598861,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.334533094559042
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSdLXnIgVf/pnxQwRlszT5sKhik3eHVVPNZT/Aamhuj3pOOcUb2mifj:GUpOxsdZnR6B3etZTI45edHd
MD5:	AB4E5D067270E67251609E080C7A59A5
SHA1:	572613B950074BBDF0BBB78C8EA42A7ECA912F72
SHA-256:	47DCF3052A1DB9F0FE8F201CB167CB6991D46AA7EF7678D51F68F3FD0695A31F
SHA-512:	0081F6D9DF624A02F6E10EB00F97EE64A3F470397EB90F390C7F560B85975F05054AF7331F1BCA223FE3F5A11FF5742B7C352B144AD8BB501E1AC8AAD9CF14EF
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{f47ec72d-2783-48a3-ac39-9af36996b213}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729737628233,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`593182...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....598861,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.035612888403651
Encrypted:	false
SSDEEP:	96:ycVHp+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27:jHETEr5a3hzFChRe
MD5:	ACF9A94F122347D9F16253E36511CE7D
SHA1:	70BD5F64441B3429E54F2FE77D4446C2B8123E8E
SHA-256:	155CA8CF13A410C4293391EE1B12B07B480A12000DDD1BFD866DC8203031C5A1
SHA-512:	2EBC5A4C511E69607D46903E36BA8FC161EF5E5AFB5D2B97CEFEC5FD575696436D1D72626F548623FF5218611BFDBA18F34D81187B82257111E8746F490A9188
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-24T02:40:09.930Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.035612888403651
Encrypted:	false
SSDEEP:	96:ycVHp+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27:jHETEr5a3hzFChRe
MD5:	ACF9A94F122347D9F16253E36511CE7D
SHA1:	70BD5F64441B3429E54F2FE77D4446C2B8123E8E
SHA-256:	155CA8CF13A410C4293391EE1B12B07B480A12000DDD1BFD866DC8203031C5A1
SHA-512:	2EBC5A4C511E69607D46903E36BA8FC161EF5E5AFB5D2B97CEFEC5FD575696436D1D72626F548623FF5218611BFDBA18F34D81187B82257111E8746F490A9188
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-24T02:40:09.930Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584705647014496
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	6e9c01e11d3d6dfe9c42e1ba38ee91a7
SHA1:	f14d45e2c3b3592f0243417aabea545f037d7f0e
SHA256:	26fb164dc6780f4292aa09a9eba48df263efe8cdf1b82a1ea2f9aaff811689ac
SHA512:	0f2a9393024f6f1a2f1b8e38e0795c680e95dc66114f6d48467d5ccb18ac3f5a1fd63570682229b1e71906f4575e18dae2b3e122f0458db1c96186e868bf6c3e
SSDEEP:	12288:9qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tp:9qDEvCTbMWu7rQYlBQcBiT6rprG8abp
TLSH:	80159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671994D1 [Thu Oct 24 00:29:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F0D8CEBC883h
jmp 00007F0D8CEBC18Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0D8CEBC36Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0D8CEBC33Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F0D8CEBEF2Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F0D8CEBEF78h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F0D8CEBEF61h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	1b9e3c86cf0be52e4feb6d42c28f15a2	False	0.3156398338607595	data	5.374048954769499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 02:50:18.490370989 CEST	49715	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:18.490422964 CEST	443	49715	35.190.72.216	192.168.2.7
Oct 24, 2024 02:50:18.496081114 CEST	49715	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:18.501555920 CEST	49715	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:18.501578093 CEST	443	49715	35.190.72.216	192.168.2.7
Oct 24, 2024 02:50:19.118818998 CEST	443	49715	35.190.72.216	192.168.2.7
Oct 24, 2024 02:50:19.118925095 CEST	49715	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:19.126269102 CEST	49715	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:19.126283884 CEST	443	49715	35.190.72.216	192.168.2.7
Oct 24, 2024 02:50:19.126557112 CEST	49715	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:19.126759052 CEST	443	49715	35.190.72.216	192.168.2.7
Oct 24, 2024 02:50:19.126878023 CEST	49715	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:19.542506933 CEST	49722	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:19.542541981 CEST	443	49722	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:19.547782898 CEST	49722	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:19.549379110 CEST	49722	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:19.549391985 CEST	443	49722	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:19.676738977 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:19.676747084 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:19.678499937 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:19.679970026 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:19.679981947 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:19.680205107 CEST	49728	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:19.685534954 CEST	80	49728	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:19.694279909 CEST	49728	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:19.698255062 CEST	49728	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:19.703560114 CEST	80	49728	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:19.877902031 CEST	49730	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:19.877939939 CEST	443	49730	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:19.878120899 CEST	49730	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:19.879564047 CEST	49730	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:19.879581928 CEST	443	49730	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:19.928411961 CEST	49731	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:19.928462029 CEST	443	49731	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:19.928734064 CEST	49731	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:19.932679892 CEST	49731	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:19.932689905 CEST	443	49731	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:19.933952093 CEST	49732	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:19.934005022 CEST	443	49732	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:19.934858084 CEST	49732	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:19.934997082 CEST	49732	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:19.935010910 CEST	443	49732	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:20.219710112 CEST	49733	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:20.219822884 CEST	443	49733	34.160.144.191	192.168.2.7
Oct 24, 2024 02:50:20.220268011 CEST	49733	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:20.220407963 CEST	49733	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:20.220428944 CEST	443	49733	34.160.144.191	192.168.2.7
Oct 24, 2024 02:50:20.301171064 CEST	80	49728	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:20.301472902 CEST	49728	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:20.307396889 CEST	80	49728	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:20.307461977 CEST	49728	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:20.412344933 CEST	443	49722	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:20.413026094 CEST	443	49722	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:20.413372040 CEST	49722	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:20.413392067 CEST	443	49722	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:20.418442965 CEST	49722	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:20.418452978 CEST	443	49722	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:20.418554068 CEST	49722	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:20.419017076 CEST	443	49722	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:20.419176102 CEST	49722	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:20.487051964 CEST	443	49730	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:20.491336107 CEST	443	49730	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:20.496378899 CEST	49730	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.532804012 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:20.532895088 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:20.533514023 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:20.533564091 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:20.544028997 CEST	443	49731	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:20.544089079 CEST	49731	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.556854010 CEST	443	49732	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:20.556917906 CEST	49732	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:20.632906914 CEST	49732	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:20.632945061 CEST	443	49732	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:20.633294106 CEST	443	49732	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:20.637615919 CEST	49730	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.637633085 CEST	443	49730	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:20.637866020 CEST	49730	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.637883902 CEST	443	49730	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:20.638370991 CEST	49739	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.638426065 CEST	443	49739	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:20.640083075 CEST	49732	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:20.640146017 CEST	49732	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:20.640269995 CEST	443	49732	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:20.643590927 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:20.643604040 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:20.643912077 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:20.644088030 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:20.644437075 CEST	49740	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:20.644464016 CEST	443	49740	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:20.646964073 CEST	49731	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.646964073 CEST	49731	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.646980047 CEST	443	49731	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:20.647161007 CEST	49741	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.647192001 CEST	443	49731	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:20.647201061 CEST	443	49741	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:20.650099039 CEST	49730	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.650141001 CEST	49732	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:20.650146008 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:20.650182962 CEST	49740	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:20.650192022 CEST	49739	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.650203943 CEST	49731	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.651593924 CEST	49739	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.651628971 CEST	443	49739	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:20.652890921 CEST	49740	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:20.652903080 CEST	443	49740	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:20.653126955 CEST	49741	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.654711008 CEST	49741	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:20.654727936 CEST	443	49741	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:20.655004978 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:20.660336971 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:20.660537958 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:20.660828114 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:20.666104078 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:20.687572956 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:20.692915916 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:20.694355965 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:20.694583893 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:20.699882984 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:20.838135958 CEST	443	49733	34.160.144.191	192.168.2.7
Oct 24, 2024 02:50:20.838905096 CEST	49733	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:20.841831923 CEST	49733	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:20.841850042 CEST	443	49733	34.160.144.191	192.168.2.7
Oct 24, 2024 02:50:20.842154980 CEST	443	49733	34.160.144.191	192.168.2.7
Oct 24, 2024 02:50:20.844458103 CEST	49733	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:20.844573975 CEST	49733	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:20.844643116 CEST	443	49733	34.160.144.191	192.168.2.7
Oct 24, 2024 02:50:20.845046043 CEST	49744	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:20.845091105 CEST	443	49744	34.160.144.191	192.168.2.7
Oct 24, 2024 02:50:20.845819950 CEST	49733	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:20.845885038 CEST	49744	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:20.845966101 CEST	49744	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:20.845973969 CEST	443	49744	34.160.144.191	192.168.2.7
Oct 24, 2024 02:50:21.255506992 CEST	443	49741	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:21.255857944 CEST	49741	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:21.262388945 CEST	49741	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:21.262403965 CEST	443	49741	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:21.262480021 CEST	49741	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:21.262501001 CEST	443	49739	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:21.262518883 CEST	443	49739	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:21.262624025 CEST	49739	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:21.262733936 CEST	443	49741	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:21.262959957 CEST	49741	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:21.264873981 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:21.267218113 CEST	49739	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:21.267230034 CEST	443	49739	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:21.267277956 CEST	49739	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:21.267512083 CEST	443	49739	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:21.268862009 CEST	49739	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:21.299335003 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:21.316247940 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:21.352128029 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:21.458900928 CEST	443	49744	34.160.144.191	192.168.2.7
Oct 24, 2024 02:50:21.463357925 CEST	443	49744	34.160.144.191	192.168.2.7
Oct 24, 2024 02:50:21.467959881 CEST	49744	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:21.471350908 CEST	49744	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:21.471373081 CEST	443	49744	34.160.144.191	192.168.2.7
Oct 24, 2024 02:50:21.471755028 CEST	443	49744	34.160.144.191	192.168.2.7
Oct 24, 2024 02:50:21.474200010 CEST	49744	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:21.474200010 CEST	49744	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:21.474473000 CEST	443	49744	34.160.144.191	192.168.2.7
Oct 24, 2024 02:50:21.475267887 CEST	49744	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:21.475267887 CEST	49744	443	192.168.2.7	34.160.144.191
Oct 24, 2024 02:50:21.506557941 CEST	443	49740	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:21.507621050 CEST	443	49740	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:21.522407055 CEST	49740	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:21.522418022 CEST	443	49740	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:21.526726007 CEST	49740	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:21.526742935 CEST	443	49740	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:21.526817083 CEST	49740	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:21.527061939 CEST	443	49740	142.250.186.174	192.168.2.7
Oct 24, 2024 02:50:21.528261900 CEST	49740	443	192.168.2.7	142.250.186.174
Oct 24, 2024 02:50:22.147243977 CEST	49751	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:22.147309065 CEST	443	49751	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:22.147468090 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:22.148010015 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:22.151180983 CEST	49751	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:22.152379036 CEST	49751	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:22.152412891 CEST	443	49751	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:22.152868032 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:22.153403044 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:22.275192976 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:22.275255919 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:22.328577995 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:22.328820944 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:22.530158043 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:22.535497904 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:22.645685911 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:22.651032925 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:22.657938957 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:22.713969946 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:22.769398928 CEST	443	49751	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:22.769684076 CEST	49751	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:22.773662090 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:22.774169922 CEST	49751	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:22.774183035 CEST	443	49751	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:22.774280071 CEST	49751	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:22.774399042 CEST	443	49751	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:22.774640083 CEST	49758	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:22.774677992 CEST	443	49758	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:22.774710894 CEST	49751	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:22.776071072 CEST	49758	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:22.777631044 CEST	49758	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:22.777647018 CEST	443	49758	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:22.793245077 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:22.798659086 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:22.814222097 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:22.856664896 CEST	49759	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:22.856707096 CEST	443	49759	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:22.861366987 CEST	49759	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:22.862559080 CEST	49759	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:22.862588882 CEST	443	49759	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:22.919749975 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:22.961374998 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:23.403275967 CEST	443	49758	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:23.408759117 CEST	49758	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:23.413512945 CEST	49758	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:23.413532019 CEST	443	49758	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:23.413619041 CEST	49758	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:23.413968086 CEST	443	49758	34.117.188.166	192.168.2.7
Oct 24, 2024 02:50:23.414026976 CEST	49758	443	192.168.2.7	34.117.188.166
Oct 24, 2024 02:50:23.466840029 CEST	443	49759	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:23.466911077 CEST	49759	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:23.471328020 CEST	49759	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:23.471328020 CEST	49759	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:23.471343994 CEST	443	49759	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:23.471537113 CEST	443	49759	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:23.471744061 CEST	49759	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:23.489098072 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:23.494442940 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:23.551834106 CEST	49766	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:23.551899910 CEST	443	49766	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:23.559351921 CEST	49766	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:23.559467077 CEST	49766	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:23.559488058 CEST	443	49766	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:23.600522995 CEST	49767	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:23.600549936 CEST	443	49767	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:23.600933075 CEST	49767	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:23.602261066 CEST	49767	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:23.602281094 CEST	443	49767	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:23.616096973 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:23.663530111 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:23.909934998 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:23.910870075 CEST	49768	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:23.910900116 CEST	443	49768	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:23.915199995 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:23.921832085 CEST	49768	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:23.923382044 CEST	49768	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:23.923402071 CEST	443	49768	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:24.036577940 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:24.097767115 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:24.169225931 CEST	443	49766	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:24.169267893 CEST	443	49766	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:24.178735971 CEST	49766	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:24.230037928 CEST	443	49767	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:24.239345074 CEST	443	49767	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:24.240001917 CEST	49767	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:24.261759996 CEST	49767	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:24.434324980 CEST	49766	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:24.434408903 CEST	443	49766	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:24.435331106 CEST	443	49766	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:24.438252926 CEST	49766	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:24.438544035 CEST	49766	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:24.438611031 CEST	49767	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:24.438627958 CEST	443	49767	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:24.438662052 CEST	443	49766	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:24.438698053 CEST	49767	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:24.439002991 CEST	443	49767	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:24.439008951 CEST	49773	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:24.439068079 CEST	443	49773	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:24.445180893 CEST	49766	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:24.445180893 CEST	49766	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:24.445197105 CEST	49767	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:24.445230961 CEST	49773	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:24.531975031 CEST	49773	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:24.532016993 CEST	443	49773	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:24.537523031 CEST	443	49768	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:24.537539959 CEST	443	49768	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:24.537591934 CEST	49768	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:24.542064905 CEST	49768	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:24.542082071 CEST	443	49768	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:24.542150021 CEST	49768	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:24.542254925 CEST	443	49768	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:24.542309999 CEST	49768	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:25.150326014 CEST	443	49773	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:25.150393963 CEST	49773	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:25.155174971 CEST	49773	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:25.155198097 CEST	443	49773	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:25.155261040 CEST	49773	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:25.155380011 CEST	443	49773	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:25.155658960 CEST	49773	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:27.756617069 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:27.771686077 CEST	49792	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:27.771732092 CEST	443	49792	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:27.771929026 CEST	49792	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:27.773147106 CEST	49792	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:27.773166895 CEST	443	49792	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:27.774877071 CEST	49793	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:27.774919033 CEST	443	49793	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:27.776732922 CEST	49793	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:27.777254105 CEST	49793	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:27.777264118 CEST	443	49793	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:27.821502924 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:27.845546961 CEST	49794	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:27.845617056 CEST	443	49794	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:27.846193075 CEST	49794	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:27.849720955 CEST	49794	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:27.849740982 CEST	443	49794	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:27.942554951 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:27.989727974 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:28.433867931 CEST	443	49792	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:28.433933973 CEST	49792	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:28.434056997 CEST	443	49793	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:28.435153008 CEST	49793	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:28.451281071 CEST	443	49794	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:28.451339960 CEST	49794	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:28.536606073 CEST	49793	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:28.536644936 CEST	443	49793	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:28.536971092 CEST	443	49793	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:28.543087006 CEST	49792	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:28.543107033 CEST	443	49792	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:28.543149948 CEST	49792	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:28.543499947 CEST	443	49792	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:28.543550014 CEST	49793	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:28.543550014 CEST	49793	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:28.543719053 CEST	443	49793	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:28.543730021 CEST	49794	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:28.543760061 CEST	443	49794	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:28.543775082 CEST	49794	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:28.544025898 CEST	49793	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:28.544034004 CEST	49792	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:28.544087887 CEST	49793	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:28.544147968 CEST	443	49794	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:28.544538975 CEST	49794	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:33.433963060 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:33.439330101 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:33.563123941 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:33.612454891 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:33.700921059 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:33.706209898 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:33.716999054 CEST	49835	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:33.717036963 CEST	443	49835	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:33.717181921 CEST	49836	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:33.717216015 CEST	443	49836	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:33.717355013 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:33.717386007 CEST	443	49837	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:33.717721939 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:33.717740059 CEST	443	49838	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:33.726416111 CEST	49835	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:33.726429939 CEST	49836	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:33.726537943 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:33.726538897 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:33.726686954 CEST	49835	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:33.726701021 CEST	443	49835	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:33.726727009 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:33.726743937 CEST	443	49837	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:33.726752996 CEST	49836	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:33.726778984 CEST	443	49836	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:33.728187084 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:33.728233099 CEST	443	49838	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:33.828634024 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:33.882055998 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:34.333956957 CEST	443	49836	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.334000111 CEST	443	49836	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.335272074 CEST	49842	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:34.335300922 CEST	443	49842	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:34.336695910 CEST	49836	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.336711884 CEST	49842	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:34.339533091 CEST	49836	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.339540958 CEST	443	49836	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.339879036 CEST	443	49836	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.341108084 CEST	49842	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:34.341136932 CEST	443	49842	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:34.342999935 CEST	443	49838	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.343020916 CEST	443	49838	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.343254089 CEST	443	49835	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.343272924 CEST	443	49835	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.343374968 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.343377113 CEST	49835	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.344846010 CEST	443	49837	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.344861031 CEST	443	49837	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.344918013 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.347228050 CEST	49835	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.347237110 CEST	443	49835	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.347527981 CEST	443	49835	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.351336002 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.351342916 CEST	443	49837	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.351511955 CEST	49836	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.351583004 CEST	443	49837	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.351799965 CEST	49836	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.351991892 CEST	443	49836	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.352276087 CEST	49836	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.355113029 CEST	49835	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.355348110 CEST	49835	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.355366945 CEST	443	49835	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.355595112 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.355604887 CEST	443	49838	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.355648994 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.355751991 CEST	49835	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.355792999 CEST	443	49838	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.355844021 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.355920076 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.355984926 CEST	443	49837	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.356581926 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.537863970 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:34.537900925 CEST	443	49837	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:34.543539047 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:34.549211979 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:34.549798012 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:34.552630901 CEST	49845	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:34.552686930 CEST	443	49845	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:34.552896023 CEST	49845	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:34.553033113 CEST	49845	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:34.553045988 CEST	443	49845	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:34.555322886 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:34.673491955 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:34.677071095 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:34.715667963 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:34.737812042 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:34.965450048 CEST	443	49842	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:34.965522051 CEST	49842	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:34.970427990 CEST	49842	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:34.970441103 CEST	443	49842	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:34.970504999 CEST	49842	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:34.971138954 CEST	443	49842	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:34.971198082 CEST	49842	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:35.177416086 CEST	443	49845	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:35.177503109 CEST	49845	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:35.180424929 CEST	49845	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:35.180430889 CEST	443	49845	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:35.181226015 CEST	443	49845	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:35.183234930 CEST	49845	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:35.183322906 CEST	49845	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:35.183387041 CEST	443	49845	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:35.183437109 CEST	49845	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:36.651443005 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:36.652407885 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:36.655729055 CEST	49857	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:36.655822992 CEST	443	49857	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:36.656078100 CEST	49857	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:36.656183958 CEST	49857	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:36.656203032 CEST	443	49857	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:36.656913042 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:36.657812119 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:36.777842045 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:36.778908968 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:36.821858883 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:36.821964025 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:36.981653929 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:36.985030890 CEST	49860	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:36.985127926 CEST	443	49860	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:36.985513926 CEST	49860	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:36.986836910 CEST	49860	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:36.986876011 CEST	443	49860	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:36.987112045 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:37.109097958 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:37.155800104 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:37.271488905 CEST	443	49857	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:37.275729895 CEST	49857	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:37.278543949 CEST	49857	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:37.278557062 CEST	443	49857	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:37.278803110 CEST	443	49857	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:37.280544043 CEST	49857	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:37.280644894 CEST	49857	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:37.280718088 CEST	443	49857	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:37.282923937 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:37.285713911 CEST	49857	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:37.285713911 CEST	49857	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:37.288208008 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:37.409579992 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:37.420129061 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:37.425761938 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:37.461383104 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:37.547017097 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:37.592941046 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:37.610897064 CEST	443	49860	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:37.610992908 CEST	49860	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:37.615991116 CEST	49860	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:37.616025925 CEST	443	49860	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:37.616072893 CEST	49860	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:37.616211891 CEST	443	49860	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:37.616267920 CEST	49860	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:37.619672060 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:37.622070074 CEST	49865	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:37.622107029 CEST	443	49865	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:37.622405052 CEST	49865	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:37.623646975 CEST	49865	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:37.623666048 CEST	443	49865	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:37.624989033 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:37.747457027 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:37.750196934 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:37.755521059 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:37.793509007 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:37.876470089 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:37.925046921 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:38.242878914 CEST	443	49865	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:38.243052006 CEST	49865	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:38.248074055 CEST	49865	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:38.248097897 CEST	443	49865	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:38.248199940 CEST	49865	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:38.248245001 CEST	443	49865	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:38.249027967 CEST	49865	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:38.250737906 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:38.252928019 CEST	49870	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:38.252943993 CEST	443	49870	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:38.253012896 CEST	49870	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:38.254339933 CEST	49870	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:38.254348040 CEST	443	49870	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:38.256211996 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:38.377892017 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:38.385535955 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:38.391096115 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:38.426491976 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:38.516376972 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:38.564543962 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:38.861367941 CEST	443	49870	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:38.861459017 CEST	49870	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:38.866219044 CEST	49870	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:38.866228104 CEST	443	49870	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:38.866327047 CEST	49870	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:38.866379976 CEST	443	49870	34.120.208.123	192.168.2.7
Oct 24, 2024 02:50:38.867350101 CEST	49870	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:50:38.868448019 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:38.874032021 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:38.995107889 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:38.998706102 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:39.004019976 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:39.050435066 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:39.125507116 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:39.166307926 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:47.611696005 CEST	49923	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:47.611756086 CEST	443	49923	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:47.616473913 CEST	49924	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:47.616514921 CEST	443	49924	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:47.617023945 CEST	49923	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:47.617137909 CEST	49923	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:47.617146969 CEST	443	49923	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:47.617316961 CEST	49924	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:47.617450953 CEST	49924	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:47.617465973 CEST	443	49924	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:47.622873068 CEST	49925	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:47.622891903 CEST	443	49925	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:47.623837948 CEST	49926	443	192.168.2.7	151.101.129.91
Oct 24, 2024 02:50:47.623864889 CEST	443	49926	151.101.129.91	192.168.2.7
Oct 24, 2024 02:50:47.626259089 CEST	49926	443	192.168.2.7	151.101.129.91
Oct 24, 2024 02:50:47.626333952 CEST	49925	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:47.627760887 CEST	49925	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:47.627804995 CEST	443	49925	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:47.627952099 CEST	49926	443	192.168.2.7	151.101.129.91
Oct 24, 2024 02:50:47.627981901 CEST	443	49926	151.101.129.91	192.168.2.7
Oct 24, 2024 02:50:47.628279924 CEST	49927	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:47.628333092 CEST	443	49927	35.190.72.216	192.168.2.7
Oct 24, 2024 02:50:47.634418964 CEST	49927	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:47.638627052 CEST	49927	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:47.638662100 CEST	443	49927	35.190.72.216	192.168.2.7
Oct 24, 2024 02:50:47.643153906 CEST	49928	443	192.168.2.7	35.201.103.21
Oct 24, 2024 02:50:47.643170118 CEST	443	49928	35.201.103.21	192.168.2.7
Oct 24, 2024 02:50:47.645062923 CEST	49928	443	192.168.2.7	35.201.103.21
Oct 24, 2024 02:50:47.646146059 CEST	49928	443	192.168.2.7	35.201.103.21
Oct 24, 2024 02:50:47.646158934 CEST	443	49928	35.201.103.21	192.168.2.7
Oct 24, 2024 02:50:48.225832939 CEST	443	49924	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.225918055 CEST	49924	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.228862047 CEST	49924	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.228876114 CEST	443	49924	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.229209900 CEST	443	49924	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.231553078 CEST	49924	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.231635094 CEST	49924	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.231739998 CEST	443	49924	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.232250929 CEST	49924	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.235621929 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:48.236444950 CEST	443	49925	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:48.236520052 CEST	49925	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:48.240926981 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:48.241092920 CEST	443	49923	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:48.241216898 CEST	49925	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:48.241216898 CEST	49923	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:48.241230011 CEST	443	49925	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:48.241291046 CEST	49925	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:48.241430044 CEST	443	49925	34.107.243.93	192.168.2.7
Oct 24, 2024 02:50:48.241781950 CEST	49925	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:50:48.244224072 CEST	49923	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:48.244229078 CEST	443	49923	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:48.244546890 CEST	443	49923	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:48.246926069 CEST	49923	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:48.247003078 CEST	49923	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:48.247101068 CEST	443	49923	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:48.247930050 CEST	49923	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:48.248183012 CEST	443	49926	151.101.129.91	192.168.2.7
Oct 24, 2024 02:50:48.248255014 CEST	49926	443	192.168.2.7	151.101.129.91
Oct 24, 2024 02:50:48.250849009 CEST	49926	443	192.168.2.7	151.101.129.91
Oct 24, 2024 02:50:48.250855923 CEST	443	49926	151.101.129.91	192.168.2.7
Oct 24, 2024 02:50:48.251251936 CEST	443	49926	151.101.129.91	192.168.2.7
Oct 24, 2024 02:50:48.253175974 CEST	443	49927	35.190.72.216	192.168.2.7
Oct 24, 2024 02:50:48.253426075 CEST	49926	443	192.168.2.7	151.101.129.91
Oct 24, 2024 02:50:48.253427029 CEST	49927	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:48.253485918 CEST	49926	443	192.168.2.7	151.101.129.91
Oct 24, 2024 02:50:48.253629923 CEST	443	49926	151.101.129.91	192.168.2.7
Oct 24, 2024 02:50:48.254667997 CEST	49926	443	192.168.2.7	151.101.129.91
Oct 24, 2024 02:50:48.257065058 CEST	49927	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:48.257080078 CEST	443	49927	35.190.72.216	192.168.2.7
Oct 24, 2024 02:50:48.257121086 CEST	49927	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:48.257314920 CEST	443	49927	35.190.72.216	192.168.2.7
Oct 24, 2024 02:50:48.260443926 CEST	49927	443	192.168.2.7	35.190.72.216
Oct 24, 2024 02:50:48.278552055 CEST	443	49928	35.201.103.21	192.168.2.7
Oct 24, 2024 02:50:48.278620958 CEST	49928	443	192.168.2.7	35.201.103.21
Oct 24, 2024 02:50:48.282433033 CEST	49928	443	192.168.2.7	35.201.103.21
Oct 24, 2024 02:50:48.282433033 CEST	49928	443	192.168.2.7	35.201.103.21
Oct 24, 2024 02:50:48.282438993 CEST	443	49928	35.201.103.21	192.168.2.7
Oct 24, 2024 02:50:48.282622099 CEST	443	49928	35.201.103.21	192.168.2.7
Oct 24, 2024 02:50:48.282767057 CEST	49928	443	192.168.2.7	35.201.103.21
Oct 24, 2024 02:50:48.285347939 CEST	49932	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:48.285370111 CEST	443	49932	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:48.285554886 CEST	49932	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:48.285634041 CEST	49932	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:48.285638094 CEST	443	49932	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:48.295960903 CEST	49933	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.295985937 CEST	443	49933	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.296194077 CEST	49934	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.296206951 CEST	443	49934	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.296283960 CEST	49935	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.296303034 CEST	443	49935	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.296385050 CEST	49933	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.296425104 CEST	49934	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.296448946 CEST	49933	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.296463013 CEST	443	49933	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.296610117 CEST	49935	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.296685934 CEST	49934	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.296696901 CEST	443	49934	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.296725988 CEST	49935	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.296751022 CEST	443	49935	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.362154007 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:48.365012884 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:48.370358944 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:48.408334970 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:48.492214918 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:48.539850950 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:48.900850058 CEST	443	49932	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:48.900932074 CEST	49932	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:48.903559923 CEST	49932	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:48.903570890 CEST	443	49932	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:48.903925896 CEST	443	49932	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:48.905868053 CEST	49932	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:48.905942917 CEST	49932	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:48.906052113 CEST	443	49932	34.149.100.209	192.168.2.7
Oct 24, 2024 02:50:48.906934977 CEST	49932	443	192.168.2.7	34.149.100.209
Oct 24, 2024 02:50:48.908407927 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:48.908628941 CEST	443	49935	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.908761978 CEST	49935	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.910420895 CEST	443	49934	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.911345959 CEST	49935	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.911360979 CEST	443	49935	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.911740065 CEST	443	49935	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.913399935 CEST	49935	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.913470030 CEST	49935	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.913603067 CEST	443	49935	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.913908005 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:48.914910078 CEST	443	49933	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.915359020 CEST	443	49934	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.919070005 CEST	49935	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.919106007 CEST	49935	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.919224977 CEST	49934	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.921864986 CEST	49934	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.921869040 CEST	443	49934	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.922266960 CEST	443	49934	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.923341036 CEST	443	49933	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.925045967 CEST	49934	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.925110102 CEST	49934	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.925435066 CEST	49934	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.925435066 CEST	49934	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.925446987 CEST	443	49934	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.925451040 CEST	49933	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.933247089 CEST	49933	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.933259964 CEST	443	49933	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.933391094 CEST	49934	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.934073925 CEST	443	49933	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.935436964 CEST	49933	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.935508013 CEST	49933	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.935802937 CEST	443	49933	35.244.181.201	192.168.2.7
Oct 24, 2024 02:50:48.939032078 CEST	49933	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:48.939032078 CEST	49933	443	192.168.2.7	35.244.181.201
Oct 24, 2024 02:50:49.035248995 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:49.038094044 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:49.043404102 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:49.079152107 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:49.165741920 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:49.210618973 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:59.043689966 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:59.049124002 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:50:59.172962904 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:50:59.178225040 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:08.251418114 CEST	50029	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:08.251506090 CEST	443	50029	34.107.243.93	192.168.2.7
Oct 24, 2024 02:51:08.251594067 CEST	50029	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:08.252963066 CEST	50029	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:08.253001928 CEST	443	50029	34.107.243.93	192.168.2.7
Oct 24, 2024 02:51:08.879667997 CEST	443	50029	34.107.243.93	192.168.2.7
Oct 24, 2024 02:51:08.883663893 CEST	50029	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:08.891367912 CEST	50029	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:08.891401052 CEST	443	50029	34.107.243.93	192.168.2.7
Oct 24, 2024 02:51:08.891442060 CEST	50029	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:08.891616106 CEST	443	50029	34.107.243.93	192.168.2.7
Oct 24, 2024 02:51:08.892015934 CEST	50029	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:08.894118071 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:08.899552107 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:09.020756960 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:09.024202108 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:09.029485941 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:09.064316988 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:09.150645971 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:09.202423096 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:17.023677111 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.023763895 CEST	443	50033	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.023900986 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.023950100 CEST	443	50034	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.024136066 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.024158001 CEST	443	50035	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.024367094 CEST	50036	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.024410009 CEST	443	50036	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.025547981 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.025559902 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.025599003 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.025733948 CEST	50036	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.025758982 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.025779963 CEST	443	50033	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.025871038 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.025891066 CEST	443	50034	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.025938988 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.025965929 CEST	443	50035	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.026089907 CEST	50036	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.026106119 CEST	443	50036	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.034347057 CEST	50037	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.034434080 CEST	443	50037	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.034483910 CEST	50038	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.034495115 CEST	443	50038	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.048247099 CEST	50037	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.048279047 CEST	50038	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.048345089 CEST	50037	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.048377037 CEST	443	50037	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.048499107 CEST	50038	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.048508883 CEST	443	50038	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.633085966 CEST	443	50034	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.633287907 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.636593103 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.636610031 CEST	443	50034	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.636831045 CEST	443	50034	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.639214039 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.639343023 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.639365911 CEST	443	50034	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.639874935 CEST	50039	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.639971018 CEST	443	50039	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.646172047 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.646193027 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.646233082 CEST	50039	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.646364927 CEST	50039	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.646385908 CEST	443	50039	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.649178982 CEST	443	50036	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.649342060 CEST	50036	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.649712086 CEST	443	50033	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.649866104 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.652046919 CEST	443	50035	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.652244091 CEST	50036	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.652262926 CEST	443	50036	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.652683973 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.652992964 CEST	443	50036	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.654701948 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.654731035 CEST	443	50033	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.655143976 CEST	443	50033	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.656800985 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.656825066 CEST	443	50035	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.657239914 CEST	443	50035	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.658093929 CEST	443	50037	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.658109903 CEST	443	50037	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.661186934 CEST	50036	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.661212921 CEST	50036	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.661329031 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.661379099 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.661401033 CEST	443	50036	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.661463976 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.661514997 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.661623001 CEST	443	50033	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.661672115 CEST	443	50035	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.662126064 CEST	50040	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.662220001 CEST	443	50040	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.662331104 CEST	50036	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.662344933 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.662380934 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.662664890 CEST	50037	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.662682056 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.662683010 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.662688017 CEST	50040	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.662695885 CEST	50036	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.663748980 CEST	443	50038	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.663774014 CEST	443	50038	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.665422916 CEST	50037	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.665436983 CEST	443	50037	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.665771961 CEST	50040	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.665802956 CEST	443	50040	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.665906906 CEST	443	50037	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.666495085 CEST	50038	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.668718100 CEST	50038	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.668735981 CEST	443	50038	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.669121027 CEST	443	50038	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.671204090 CEST	50037	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.671274900 CEST	50037	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.671451092 CEST	443	50037	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:17.671814919 CEST	50038	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.671814919 CEST	50038	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.672004938 CEST	50038	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.672025919 CEST	50037	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:17.678595066 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:17.683897972 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:17.805272102 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:17.850007057 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:17.851804972 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:17.855520964 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:17.976938963 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:18.019804955 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:18.259401083 CEST	443	50039	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:18.259651899 CEST	50039	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:18.262053967 CEST	50039	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:18.262084007 CEST	443	50039	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:18.262311935 CEST	443	50039	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:18.263861895 CEST	50039	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:18.263957977 CEST	50039	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:18.264018059 CEST	443	50039	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:18.265399933 CEST	50039	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:18.265399933 CEST	50039	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:18.266968966 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:18.272264957 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:18.279907942 CEST	443	50040	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:18.280374050 CEST	50040	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:18.283634901 CEST	50040	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:18.283663034 CEST	443	50040	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:18.284082890 CEST	443	50040	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:18.286690950 CEST	50040	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:18.286787987 CEST	50040	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:18.286926031 CEST	443	50040	34.120.208.123	192.168.2.7
Oct 24, 2024 02:51:18.286976099 CEST	50040	443	192.168.2.7	34.120.208.123
Oct 24, 2024 02:51:18.399965048 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:18.403040886 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:18.408401966 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:18.452131033 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:18.529670954 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:18.574593067 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:28.402581930 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:28.408123970 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:28.534120083 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:28.539654016 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:38.431906939 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:38.437419891 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:38.547940969 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:38.553637028 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:48.457690954 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:48.464834929 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:48.557972908 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:48.563736916 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:49.283164024 CEST	50041	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:49.283261061 CEST	443	50041	34.107.243.93	192.168.2.7
Oct 24, 2024 02:51:49.283353090 CEST	50041	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:49.284672022 CEST	50041	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:49.284713030 CEST	443	50041	34.107.243.93	192.168.2.7
Oct 24, 2024 02:51:49.908593893 CEST	443	50041	34.107.243.93	192.168.2.7
Oct 24, 2024 02:51:49.908797026 CEST	50041	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:49.913564920 CEST	50041	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:49.913595915 CEST	443	50041	34.107.243.93	192.168.2.7
Oct 24, 2024 02:51:49.913651943 CEST	50041	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:49.913846970 CEST	443	50041	34.107.243.93	192.168.2.7
Oct 24, 2024 02:51:49.914779902 CEST	50041	443	192.168.2.7	34.107.243.93
Oct 24, 2024 02:51:49.916388988 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:49.921756029 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:50.043572903 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:50.047324896 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:50.052674055 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:50.093568087 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:51:50.176552057 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:51:50.225102901 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:52:00.053296089 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:52:00.058851957 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:52:00.191330910 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:52:00.197819948 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:52:10.066550970 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:52:10.072278976 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:52:10.198471069 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:52:10.203955889 CEST	80	49742	34.107.221.82	192.168.2.7
Oct 24, 2024 02:52:20.082926989 CEST	49743	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:52:20.088577986 CEST	80	49743	34.107.221.82	192.168.2.7
Oct 24, 2024 02:52:20.214936018 CEST	49742	80	192.168.2.7	34.107.221.82
Oct 24, 2024 02:52:20.221224070 CEST	80	49742	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 02:50:18.527476072 CEST	50474	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:18.544230938 CEST	53	50474	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:18.549027920 CEST	63081	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:18.556415081 CEST	53	63081	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:19.531233072 CEST	50780	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.531234026 CEST	60455	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.539073944 CEST	53	50780	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:19.543946028 CEST	62219	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.544214010 CEST	63980	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.550894022 CEST	53	62219	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:19.551904917 CEST	53	63980	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:19.551951885 CEST	62546	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.552541971 CEST	57694	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.559695005 CEST	53	57694	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:19.560043097 CEST	53	62546	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:19.867010117 CEST	56138	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.874608040 CEST	53	56138	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:19.878042936 CEST	55282	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.885492086 CEST	53	55282	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:19.886077881 CEST	51684	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.893765926 CEST	53	51684	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:19.919280052 CEST	62244	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.927323103 CEST	53	62244	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:19.928647995 CEST	62531	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.934475899 CEST	50818	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.936758995 CEST	53	62531	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:19.937889099 CEST	57615	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.941732883 CEST	53	50818	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:19.945410967 CEST	53	57615	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:19.949188948 CEST	61065	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:19.956336021 CEST	53	61065	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:20.210165977 CEST	52680	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:20.217724085 CEST	53	52680	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:20.220194101 CEST	62517	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:20.228508949 CEST	53	62517	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:20.229110003 CEST	52462	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:20.236515045 CEST	53	52462	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:20.446531057 CEST	63585	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:20.446947098 CEST	56501	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:20.453614950 CEST	53	63585	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:20.454005003 CEST	53	56501	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:20.640446901 CEST	49425	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:22.650196075 CEST	62417	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:22.680648088 CEST	53	60112	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:22.781300068 CEST	50468	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:22.788477898 CEST	53	50468	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:22.789541006 CEST	55975	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:22.797287941 CEST	53	55975	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:22.801707029 CEST	64821	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:22.809324026 CEST	53	64821	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:23.585406065 CEST	55567	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:23.592864037 CEST	53	55567	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:23.602781057 CEST	49188	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:23.610202074 CEST	53	49188	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:23.627712965 CEST	53850	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:23.634823084 CEST	53	53850	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:23.912326097 CEST	55391	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:23.919516087 CEST	53	55391	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:23.932073116 CEST	49582	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:23.939481020 CEST	53	49582	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:27.707675934 CEST	55212	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:27.823771954 CEST	53	55212	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:27.851624012 CEST	53036	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:27.860140085 CEST	53	53036	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:27.862822056 CEST	60294	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:27.870449066 CEST	53	60294	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:32.072539091 CEST	62971	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:32.072798967 CEST	52439	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:32.073080063 CEST	53088	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:32.079747915 CEST	53	62971	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:32.080116034 CEST	53	52439	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:32.080601931 CEST	53	53088	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:32.080754042 CEST	52132	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:32.087990999 CEST	53	52132	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:32.091165066 CEST	54803	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:32.099029064 CEST	53	54803	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:33.395159960 CEST	58292	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:33.395253897 CEST	50186	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:33.395685911 CEST	60386	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:33.402714014 CEST	53	58292	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:33.402899027 CEST	53	50186	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:33.403233051 CEST	61099	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:33.403364897 CEST	60095	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:33.403619051 CEST	53	60386	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:33.404191971 CEST	53985	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:33.410445929 CEST	53	60095	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:33.410954952 CEST	53	61099	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:33.411024094 CEST	50791	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:33.412172079 CEST	53	53985	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:33.413815022 CEST	64598	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:33.418204069 CEST	53	50791	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:33.418760061 CEST	54887	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:33.421950102 CEST	53	64598	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:33.425904989 CEST	53	54887	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:33.426369905 CEST	61479	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:33.433803082 CEST	53	61479	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:33.721196890 CEST	61041	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:33.728614092 CEST	53	61041	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:34.336467028 CEST	51694	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:34.343492031 CEST	53	51694	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:38.253473997 CEST	59859	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:38.261200905 CEST	53	59859	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:47.602559090 CEST	51479	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:47.603823900 CEST	50660	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:47.606551886 CEST	59740	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:47.609643936 CEST	53	51479	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:47.610414982 CEST	51008	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:47.613691092 CEST	53	59740	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:47.618010044 CEST	53	51008	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:47.619863033 CEST	53	50660	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:47.623137951 CEST	64785	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:47.624572039 CEST	65404	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:47.628694057 CEST	64825	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:47.630579948 CEST	53	64785	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:47.632133961 CEST	53	65404	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:47.634990931 CEST	50241	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:47.636472940 CEST	53	64825	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:47.642118931 CEST	53	50241	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:47.643980980 CEST	58759	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:47.652360916 CEST	53	58759	1.1.1.1	192.168.2.7
Oct 24, 2024 02:50:47.654221058 CEST	62022	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:50:47.661894083 CEST	53	62022	1.1.1.1	192.168.2.7
Oct 24, 2024 02:51:08.250924110 CEST	54017	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:51:08.258240938 CEST	53	54017	1.1.1.1	192.168.2.7
Oct 24, 2024 02:51:08.259473085 CEST	55387	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:51:08.267038107 CEST	53	55387	1.1.1.1	192.168.2.7
Oct 24, 2024 02:51:08.894407034 CEST	55490	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:51:17.020703077 CEST	57593	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:51:17.028655052 CEST	53	57593	1.1.1.1	192.168.2.7
Oct 24, 2024 02:51:49.263144016 CEST	62292	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:51:49.282227039 CEST	53	62292	1.1.1.1	192.168.2.7
Oct 24, 2024 02:51:49.283077955 CEST	54687	53	192.168.2.7	1.1.1.1
Oct 24, 2024 02:51:49.290577888 CEST	53	54687	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 02:50:18.527476072 CEST	192.168.2.7	1.1.1.1	0x3be8	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:18.549027920 CEST	192.168.2.7	1.1.1.1	0xc74e	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 02:50:19.531233072 CEST	192.168.2.7	1.1.1.1	0xfe6b	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.531234026 CEST	192.168.2.7	1.1.1.1	0x950a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.543946028 CEST	192.168.2.7	1.1.1.1	0xe83c	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.544214010 CEST	192.168.2.7	1.1.1.1	0xa6f7	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.551951885 CEST	192.168.2.7	1.1.1.1	0x1979	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 02:50:19.552541971 CEST	192.168.2.7	1.1.1.1	0xfdbf	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 24, 2024 02:50:19.867010117 CEST	192.168.2.7	1.1.1.1	0xcce0	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.878042936 CEST	192.168.2.7	1.1.1.1	0x1fe7	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.886077881 CEST	192.168.2.7	1.1.1.1	0xaea4	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 02:50:19.919280052 CEST	192.168.2.7	1.1.1.1	0x4bb3	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.928647995 CEST	192.168.2.7	1.1.1.1	0xb964	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.934475899 CEST	192.168.2.7	1.1.1.1	0x2941	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.937889099 CEST	192.168.2.7	1.1.1.1	0x1d80	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 02:50:19.949188948 CEST	192.168.2.7	1.1.1.1	0xed56	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 02:50:20.210165977 CEST	192.168.2.7	1.1.1.1	0x1634	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:20.220194101 CEST	192.168.2.7	1.1.1.1	0x405e	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:20.229110003 CEST	192.168.2.7	1.1.1.1	0xd96e	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 02:50:20.446531057 CEST	192.168.2.7	1.1.1.1	0x89cd	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:20.446947098 CEST	192.168.2.7	1.1.1.1	0x2051	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:20.640446901 CEST	192.168.2.7	1.1.1.1	0x3da8	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:22.650196075 CEST	192.168.2.7	1.1.1.1	0x5bd	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:22.781300068 CEST	192.168.2.7	1.1.1.1	0xf08	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:22.789541006 CEST	192.168.2.7	1.1.1.1	0xd261	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:22.801707029 CEST	192.168.2.7	1.1.1.1	0x6670	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 02:50:23.585406065 CEST	192.168.2.7	1.1.1.1	0xa785	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:23.602781057 CEST	192.168.2.7	1.1.1.1	0x52a1	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:23.627712965 CEST	192.168.2.7	1.1.1.1	0x6a23	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 02:50:23.912326097 CEST	192.168.2.7	1.1.1.1	0x78f6	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:23.932073116 CEST	192.168.2.7	1.1.1.1	0x37d0	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 02:50:27.707675934 CEST	192.168.2.7	1.1.1.1	0x1e09	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:27.851624012 CEST	192.168.2.7	1.1.1.1	0x6993	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:27.862822056 CEST	192.168.2.7	1.1.1.1	0x8f80	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 02:50:32.072539091 CEST	192.168.2.7	1.1.1.1	0x5aef	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.072798967 CEST	192.168.2.7	1.1.1.1	0x489c	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.073080063 CEST	192.168.2.7	1.1.1.1	0xb9d2	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.080754042 CEST	192.168.2.7	1.1.1.1	0x148f	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.091165066 CEST	192.168.2.7	1.1.1.1	0xe7c6	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 24, 2024 02:50:33.395159960 CEST	192.168.2.7	1.1.1.1	0x7603	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.395253897 CEST	192.168.2.7	1.1.1.1	0xa9f9	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.395685911 CEST	192.168.2.7	1.1.1.1	0xb51c	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.403233051 CEST	192.168.2.7	1.1.1.1	0xffc1	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 24, 2024 02:50:33.403364897 CEST	192.168.2.7	1.1.1.1	0x17d0	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 24, 2024 02:50:33.404191971 CEST	192.168.2.7	1.1.1.1	0x37be	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.411024094 CEST	192.168.2.7	1.1.1.1	0x31be	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.413815022 CEST	192.168.2.7	1.1.1.1	0xf469	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 24, 2024 02:50:33.418760061 CEST	192.168.2.7	1.1.1.1	0x375f	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.426369905 CEST	192.168.2.7	1.1.1.1	0xe2f0	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 24, 2024 02:50:33.721196890 CEST	192.168.2.7	1.1.1.1	0xa83	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 02:50:34.336467028 CEST	192.168.2.7	1.1.1.1	0x6ce2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 02:50:38.253473997 CEST	192.168.2.7	1.1.1.1	0x4f14	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 02:50:47.602559090 CEST	192.168.2.7	1.1.1.1	0x5e07	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.603823900 CEST	192.168.2.7	1.1.1.1	0x9ac4	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.606551886 CEST	192.168.2.7	1.1.1.1	0x8b30	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 02:50:47.610414982 CEST	192.168.2.7	1.1.1.1	0xdb87	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.623137951 CEST	192.168.2.7	1.1.1.1	0x3bbb	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 02:50:47.624572039 CEST	192.168.2.7	1.1.1.1	0x542c	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.628694057 CEST	192.168.2.7	1.1.1.1	0x3ff8	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.634990931 CEST	192.168.2.7	1.1.1.1	0x45dd	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 24, 2024 02:50:47.643980980 CEST	192.168.2.7	1.1.1.1	0x3e46	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.654221058 CEST	192.168.2.7	1.1.1.1	0xf16f	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 02:51:08.250924110 CEST	192.168.2.7	1.1.1.1	0x5d8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:51:08.259473085 CEST	192.168.2.7	1.1.1.1	0xfa66	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 02:51:08.894407034 CEST	192.168.2.7	1.1.1.1	0x71f3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:51:17.020703077 CEST	192.168.2.7	1.1.1.1	0x8d18	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 02:51:49.263144016 CEST	192.168.2.7	1.1.1.1	0xbd91	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:51:49.283077955 CEST	192.168.2.7	1.1.1.1	0x7c16	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 02:50:18.472074032 CEST	1.1.1.1	192.168.2.7	0x7902	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:18.544230938 CEST	1.1.1.1	192.168.2.7	0x3be8	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.538858891 CEST	1.1.1.1	192.168.2.7	0x950a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:19.538858891 CEST	1.1.1.1	192.168.2.7	0x950a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.539073944 CEST	1.1.1.1	192.168.2.7	0xfe6b	No error (0)	youtube.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.550894022 CEST	1.1.1.1	192.168.2.7	0xe83c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.551904917 CEST	1.1.1.1	192.168.2.7	0xa6f7	No error (0)	youtube.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.559695005 CEST	1.1.1.1	192.168.2.7	0xfdbf	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 24, 2024 02:50:19.560043097 CEST	1.1.1.1	192.168.2.7	0x1979	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 24, 2024 02:50:19.874608040 CEST	1.1.1.1	192.168.2.7	0xcce0	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.885492086 CEST	1.1.1.1	192.168.2.7	0x1fe7	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.927323103 CEST	1.1.1.1	192.168.2.7	0x4bb3	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:19.927323103 CEST	1.1.1.1	192.168.2.7	0x4bb3	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.931915998 CEST	1.1.1.1	192.168.2.7	0x9ce7	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:19.931915998 CEST	1.1.1.1	192.168.2.7	0x9ce7	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.936758995 CEST	1.1.1.1	192.168.2.7	0xb964	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:19.941732883 CEST	1.1.1.1	192.168.2.7	0x2941	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:20.217724085 CEST	1.1.1.1	192.168.2.7	0x1634	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:20.217724085 CEST	1.1.1.1	192.168.2.7	0x1634	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:20.217724085 CEST	1.1.1.1	192.168.2.7	0x1634	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:20.228508949 CEST	1.1.1.1	192.168.2.7	0x405e	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:20.236515045 CEST	1.1.1.1	192.168.2.7	0xd96e	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 24, 2024 02:50:20.453614950 CEST	1.1.1.1	192.168.2.7	0x89cd	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:20.454005003 CEST	1.1.1.1	192.168.2.7	0x2051	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:20.454005003 CEST	1.1.1.1	192.168.2.7	0x2051	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:20.647489071 CEST	1.1.1.1	192.168.2.7	0x3da8	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:20.647489071 CEST	1.1.1.1	192.168.2.7	0x3da8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:22.657870054 CEST	1.1.1.1	192.168.2.7	0x5bd	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:22.788477898 CEST	1.1.1.1	192.168.2.7	0xf08	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:22.797287941 CEST	1.1.1.1	192.168.2.7	0xd261	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:23.547591925 CEST	1.1.1.1	192.168.2.7	0xf134	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:23.547591925 CEST	1.1.1.1	192.168.2.7	0xf134	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:23.592864037 CEST	1.1.1.1	192.168.2.7	0xa785	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:23.592864037 CEST	1.1.1.1	192.168.2.7	0xa785	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:23.610202074 CEST	1.1.1.1	192.168.2.7	0x52a1	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:23.906606913 CEST	1.1.1.1	192.168.2.7	0x925b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:23.919516087 CEST	1.1.1.1	192.168.2.7	0x78f6	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:27.823136091 CEST	1.1.1.1	192.168.2.7	0xf764	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:27.823771954 CEST	1.1.1.1	192.168.2.7	0x1e09	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:27.823771954 CEST	1.1.1.1	192.168.2.7	0x1e09	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:27.823771954 CEST	1.1.1.1	192.168.2.7	0x1e09	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:27.860140085 CEST	1.1.1.1	192.168.2.7	0x6993	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.079747915 CEST	1.1.1.1	192.168.2.7	0x5aef	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.080116034 CEST	1.1.1.1	192.168.2.7	0x489c	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:32.080116034 CEST	1.1.1.1	192.168.2.7	0x489c	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.080601931 CEST	1.1.1.1	192.168.2.7	0xb9d2	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:32.080601931 CEST	1.1.1.1	192.168.2.7	0xb9d2	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.087990999 CEST	1.1.1.1	192.168.2.7	0x148f	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:32.099029064 CEST	1.1.1.1	192.168.2.7	0xe7c6	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 24, 2024 02:50:32.099029064 CEST	1.1.1.1	192.168.2.7	0xe7c6	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 24, 2024 02:50:32.099029064 CEST	1.1.1.1	192.168.2.7	0xe7c6	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 24, 2024 02:50:32.099029064 CEST	1.1.1.1	192.168.2.7	0xe7c6	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 24, 2024 02:50:33.402714014 CEST	1.1.1.1	192.168.2.7	0x7603	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.402899027 CEST	1.1.1.1	192.168.2.7	0xa9f9	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.403619051 CEST	1.1.1.1	192.168.2.7	0xb51c	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:33.403619051 CEST	1.1.1.1	192.168.2.7	0xb51c	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.403619051 CEST	1.1.1.1	192.168.2.7	0xb51c	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.403619051 CEST	1.1.1.1	192.168.2.7	0xb51c	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.403619051 CEST	1.1.1.1	192.168.2.7	0xb51c	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.410445929 CEST	1.1.1.1	192.168.2.7	0x17d0	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 24, 2024 02:50:33.410954952 CEST	1.1.1.1	192.168.2.7	0xffc1	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 24, 2024 02:50:33.412172079 CEST	1.1.1.1	192.168.2.7	0x37be	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.412172079 CEST	1.1.1.1	192.168.2.7	0x37be	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.412172079 CEST	1.1.1.1	192.168.2.7	0x37be	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.412172079 CEST	1.1.1.1	192.168.2.7	0x37be	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.418204069 CEST	1.1.1.1	192.168.2.7	0x31be	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:33.425904989 CEST	1.1.1.1	192.168.2.7	0x375f	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.609643936 CEST	1.1.1.1	192.168.2.7	0x5e07	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.610471010 CEST	1.1.1.1	192.168.2.7	0xd68f	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:47.610471010 CEST	1.1.1.1	192.168.2.7	0xd68f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.618010044 CEST	1.1.1.1	192.168.2.7	0xdb87	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.619863033 CEST	1.1.1.1	192.168.2.7	0x9ac4	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.619863033 CEST	1.1.1.1	192.168.2.7	0x9ac4	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.619863033 CEST	1.1.1.1	192.168.2.7	0x9ac4	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.619863033 CEST	1.1.1.1	192.168.2.7	0x9ac4	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.632133961 CEST	1.1.1.1	192.168.2.7	0x542c	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.632133961 CEST	1.1.1.1	192.168.2.7	0x542c	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.632133961 CEST	1.1.1.1	192.168.2.7	0x542c	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.632133961 CEST	1.1.1.1	192.168.2.7	0x542c	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.636472940 CEST	1.1.1.1	192.168.2.7	0x3ff8	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:47.636472940 CEST	1.1.1.1	192.168.2.7	0x3ff8	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:47.652360916 CEST	1.1.1.1	192.168.2.7	0x3e46	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:48.295171976 CEST	1.1.1.1	192.168.2.7	0xbbc7	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:48.295171976 CEST	1.1.1.1	192.168.2.7	0xbbc7	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:50:48.947510958 CEST	1.1.1.1	192.168.2.7	0xbbe9	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:50:48.947510958 CEST	1.1.1.1	192.168.2.7	0xbbe9	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:51:08.258240938 CEST	1.1.1.1	192.168.2.7	0x5d8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:51:08.901865005 CEST	1.1.1.1	192.168.2.7	0x71f3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 02:51:08.901865005 CEST	1.1.1.1	192.168.2.7	0x71f3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:51:17.013178110 CEST	1.1.1.1	192.168.2.7	0xa759	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 24, 2024 02:51:49.282227039 CEST	1.1.1.1	192.168.2.7	0xbd91	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49728	34.107.221.82	80	7992	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 02:50:19.698255062 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:20.301171064 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43243 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49742	34.107.221.82	80	7992	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 02:50:20.660828114 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:21.264873981 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 42996 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:22.147468090 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:22.275192976 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 42997 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:22.530158043 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:22.657938957 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 42997 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:22.793245077 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:22.919749975 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 42997 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:23.909934998 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:24.036577940 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 42998 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:33.433963060 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:33.563123941 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43008 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:34.543539047 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:34.673491955 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43009 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:36.651443005 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:36.777842045 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43011 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:36.981653929 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:37.109097958 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43012 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:37.420129061 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:37.547017097 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43012 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:37.750196934 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:37.876470089 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43012 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:38.385535955 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:38.516376972 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43013 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:38.998706102 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:39.125507116 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43014 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:48.365012884 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:48.492214918 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43023 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:49.038094044 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:50:49.165741920 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43024 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:50:59.172962904 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 02:51:09.024202108 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:51:09.150645971 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43044 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:51:17.850007057 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:51:17.976938963 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43052 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:51:18.403040886 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:51:18.529670954 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43053 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:51:28.534120083 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 02:51:38.547940969 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 02:51:48.557972908 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 02:51:50.047324896 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 02:51:50.176552057 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 43085 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 02:52:00.191330910 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 02:52:10.198471069 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 02:52:20.214936018 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49743	34.107.221.82	80	7992	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 02:50:20.694583893 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:21.299335003 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43244 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:22.148010015 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:22.275255919 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43245 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:22.645685911 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:22.773662090 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43245 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:23.489098072 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:23.616096973 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43246 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:27.756617069 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:27.942554951 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43250 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:33.700921059 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:33.828634024 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43256 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:34.549798012 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:34.677071095 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43257 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:36.652407885 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:36.778908968 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43259 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:37.282923937 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:37.409579992 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43260 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:37.619672060 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:37.747457027 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43260 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:38.250737906 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:38.377892017 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43261 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:38.868448019 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:38.995107889 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43261 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:48.235621929 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:48.362154007 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43271 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:48.908407927 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:50:49.035248995 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43271 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:50:59.043689966 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 02:51:08.894118071 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:51:09.020756960 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43291 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:51:17.678595066 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:51:17.805272102 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43300 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:51:18.266968966 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:51:18.399965048 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43301 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:51:28.402581930 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 02:51:38.431906939 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 02:51:48.457690954 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 02:51:49.916388988 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 02:51:50.043572903 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 43332 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 02:52:00.053296089 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 02:52:10.066550970 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 02:52:20.082926989 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	20:50:10
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x130000
File size:	919'552 bytes
MD5 hash:	6E9C01E11D3D6DFE9C42E1BA38EE91A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1357074632.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:50:11
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x620000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:50:11
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:50:13
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x620000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:50:13
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:50:13
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x620000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:50:13
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:50:13
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x620000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:50:13
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:50:13
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x620000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:50:14
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:50:14
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	20:50:14
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	20:50:14
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	20:50:15
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4de06ef4-7b42-4cc5-b75b-16175537487e} 7992 "\\.\pipe\gecko-crash-server-pipe.7992" 1eb47a6f510 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	20:50:17
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 4124 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c009cfd6-4e48-44af-ba60-856a4eeb6978} 7992 "\\.\pipe\gecko-crash-server-pipe.7992" 1eb59ad6c10 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	20:50:22
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4992 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4984 -prefMapHandle 4980 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77f7aa6d-255c-483f-8a66-dc6825b39511} 7992 "\\.\pipe\gecko-crash-server-pipe.7992" 1eb617f6910 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	1579
Total number of Limit Nodes:	56

Executed Functions

Function 001342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0013430D

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

GetCurrentProcess.KERNEL32(?,001CCB64,00000000,?,?), ref: 00134422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00134429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00134454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00134466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00134474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0013447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001344A0

Strings

|O, xrefs: 001736F8
GetNativeSystemInfo, xrefs: 00134460
kernel32.dll, xrefs: 0013444F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: ffdf2a7178e51a9844b0d351ad22deda8adc28a6414bc192b91386bbf4badf6a
Instruction ID: bd9495c06523d1b0a13e63d3eb40a6e323dc594107103271b67d10f2733508ce
Opcode Fuzzy Hash: ffdf2a7178e51a9844b0d351ad22deda8adc28a6414bc192b91386bbf4badf6a
Instruction Fuzzy Hash: CDA1A36290A3C0DFC715C7797C896A57FF47B26340F0898E9E09593A63D3305AA8DB61

Function 001342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001350AA,?,?,00000000,00000000), ref: 001342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001350AA,?,?,00000000,00000000), ref: 001342C9
LoadResource.KERNEL32(?,00000000,?,?,001350AA,?,?,00000000,00000000,?,?,?,?,?,?,00134F20), ref: 001735BE
SizeofResource.KERNEL32(?,00000000,?,?,001350AA,?,?,00000000,00000000,?,?,?,?,?,?,00134F20), ref: 001735D3
LockResource.KERNEL32(001350AA,?,?,001350AA,?,?,00000000,00000000,?,?,?,?,?,?,00134F20,?), ref: 001735E6

Strings

SCRIPT, xrefs: 001342BF

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c6830bdd7a58e2db7f49193993d8423be1abb90fa8536ff6ef9957fcb895f124
Instruction ID: 58a6ba30794e66a2b4590f364275835a3a73f2ae6a401692987c98acde936e1b
Opcode Fuzzy Hash: c6830bdd7a58e2db7f49193993d8423be1abb90fa8536ff6ef9957fcb895f124
Instruction Fuzzy Hash: 6C118E70200700BFD7218BA6EC48F677BBDEBC6B51F14816DF456D6A50DB71EC408A60

Function 00172BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00132B6B

Part of subcall function 00133A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00201418,?,00132E7F,?,?,?,00000000), ref: 00133A78

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,001F2224), ref: 00172C10
ShellExecuteW.SHELL32(00000000,?,?,001F2224), ref: 00172C17

Strings

runas, xrefs: 00172C0B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 88e4951cd3298cb896abe83f3298c06d5f7afb0a16387ab3ec6448e91a964a18
Instruction ID: f1ad4b4322c43e72a04ee5a96316b0d3d82f90e7c77ceb3f7cc80dc020c68fec
Opcode Fuzzy Hash: 88e4951cd3298cb896abe83f3298c06d5f7afb0a16387ab3ec6448e91a964a18
Instruction Fuzzy Hash: 6811B631208345AAC718FF60E855DBEBBA4AFB1350F44542DF196570A3CF718A5AC752

Function 0019D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0019D501
Process32FirstW.KERNEL32(00000000,?), ref: 0019D50F
Process32NextW.KERNEL32(00000000,?), ref: 0019D52F
CloseHandle.KERNELBASE(00000000), ref: 0019D5DC

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d6c7792dc092dfebc31a0bdb721e878fa36abe48b2845786bf383c39a263c882
Instruction ID: 6da803aafda34ba8f4bb67b781b0ba542c5cfcf013701669ffc8437d2d3f1730
Opcode Fuzzy Hash: d6c7792dc092dfebc31a0bdb721e878fa36abe48b2845786bf383c39a263c882
Instruction Fuzzy Hash: CC31BF311083009FD300EF64D881AAFBBF8EFA9354F14092DF585861A1EB71D989CB92

Function 0019DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00175222), ref: 0019DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0019DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0019DBEE
FindClose.KERNEL32(00000000), ref: 0019DBFA

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 38f2b01b47925bf2d8d61ddf644ac7fda21a921825417b545afe0d538f55a0f2
Instruction ID: 6e77082e2a57ef4bb322096f8bd5c648cae5024dfac3b9d4c902d1a986d72105
Opcode Fuzzy Hash: 38f2b01b47925bf2d8d61ddf644ac7fda21a921825417b545afe0d538f55a0f2
Instruction Fuzzy Hash: 95F0A030810910578A206B78EC0D8AA7B6D9F02334B14470AF83AC28E0EBB09D9586D5

Function 00154CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001628E9,?,00154CBE,001628E9,001F88B8,0000000C,00154E15,001628E9,00000002,00000000,?,001628E9), ref: 00154D09
TerminateProcess.KERNEL32(00000000,?,00154CBE,001628E9,001F88B8,0000000C,00154E15,001628E9,00000002,00000000,?,001628E9), ref: 00154D10
ExitProcess.KERNEL32 ref: 00154D22

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 950512528563bdaf7d8a7173c72d08e8b3ad3fa090f994c97e5f48ee0261bff0
Instruction ID: fe7c6c5704b7e82018f57ca7972562bc9f9ea724d88335c3633483826c7928aa
Opcode Fuzzy Hash: 950512528563bdaf7d8a7173c72d08e8b3ad3fa090f994c97e5f48ee0261bff0
Instruction Fuzzy Hash: 70E0B631400188EBCF11AF94EE09E583F79FB61786B145018FC298B522CB36DE96CA90

Function 0013BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p# , xrefs: 001807CE

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#
API String ID: 3964851224-779609835
Opcode ID: b285563ae300eb9654c787592eb111b342fa3825bc75c932f66c0fdf83cba9bb
Instruction ID: c21920c408dea0e310525788fd7e4d8fdaf7d1e80912a8d1e9fd9dbfdc86727a
Opcode Fuzzy Hash: b285563ae300eb9654c787592eb111b342fa3825bc75c932f66c0fdf83cba9bb
Instruction Fuzzy Hash: 08A27870A083018FD755DF28C480B2ABBE1BF99304F15896DE89A9B352D771ED49CF92

Function 001BAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 001BB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001BB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001BB1D4
_wcslen.LIBCMT ref: 001BB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001BB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001BB236
_wcslen.LIBCMT ref: 001BB332

Part of subcall function 001A05A7: GetStdHandle.KERNEL32(000000F6), ref: 001A05C6

_wcslen.LIBCMT ref: 001BB34B
_wcslen.LIBCMT ref: 001BB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001BB3B6
GetLastError.KERNEL32(00000000), ref: 001BB407
CloseHandle.KERNEL32(?), ref: 001BB439
CloseHandle.KERNEL32(00000000), ref: 001BB44A
CloseHandle.KERNEL32(00000000), ref: 001BB45C
CloseHandle.KERNEL32(00000000), ref: 001BB46E
CloseHandle.KERNEL32(?), ref: 001BB4E3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: dbc46fe4ba64297053995f7d96acf337a2017f45a866d75b72ba15aad7d8a754
Instruction ID: 407e10a86d88c9ac05501eafbb0848c12a9071fdeca106e32fc89704c3d73ce2
Opcode Fuzzy Hash: dbc46fe4ba64297053995f7d96acf337a2017f45a866d75b72ba15aad7d8a754
Instruction Fuzzy Hash: 49F1AD715083009FC724EF24C891BAEBBE1BF85314F14855DF89A9B2A2DB71EC44CB92

Function 0013D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0013D807
timeGetTime.WINMM ref: 0013DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0013DB28
TranslateMessage.USER32(?), ref: 0013DB7B
DispatchMessageW.USER32(?), ref: 0013DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0013DB9F
Sleep.KERNELBASE(0000000A), ref: 0013DBB1

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 3d71a9817e117d9a59a7783894ed9ac87700da08a730c1d7016e22d9d9c42a14
Instruction ID: cb67f45df47328697853dbfb1ea5ae08df020de23b7a9540ef30073ef94f2d03
Opcode Fuzzy Hash: 3d71a9817e117d9a59a7783894ed9ac87700da08a730c1d7016e22d9d9c42a14
Instruction Fuzzy Hash: 23420230608341EFD729DF24E888BAABBE4FF56304F55855DE456872A1D770E984CF82

Function 00132CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00132D07
RegisterClassExW.USER32(00000030), ref: 00132D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00132D42
InitCommonControlsEx.COMCTL32(?), ref: 00132D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00132D6F
LoadIconW.USER32(000000A9), ref: 00132D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00132D94

Strings

+, xrefs: 00132CF0
TaskbarCreated, xrefs: 00132D37
AutoIt v3 GUI, xrefs: 00132D23
0, xrefs: 00132CE9

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: def8e41ca50848e61465627168446f73244a87fb15355424760dce9394e1ba9a
Instruction ID: 925db3465b67a27e6204b1a4350fec61e78c482e840d30743d3e6e58809ff723
Opcode Fuzzy Hash: def8e41ca50848e61465627168446f73244a87fb15355424760dce9394e1ba9a
Instruction Fuzzy Hash: 9321B2B5D01318AFDB00DFA4E949B9DBFB4FB08B04F00411AF615A66A0D7B189948F91

Function 0017065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0017039A: CreateFileW.KERNELBASE(00000000,00000000,?,00170704,?,?,00000000,?,00170704,00000000,0000000C), ref: 001703B7

GetLastError.KERNEL32 ref: 0017076F
__dosmaperr.LIBCMT ref: 00170776
GetFileType.KERNELBASE(00000000), ref: 00170782
GetLastError.KERNEL32 ref: 0017078C
__dosmaperr.LIBCMT ref: 00170795
CloseHandle.KERNEL32(00000000), ref: 001707B5
CloseHandle.KERNEL32(?), ref: 001708FF
GetLastError.KERNEL32 ref: 00170931
__dosmaperr.LIBCMT ref: 00170938

Strings

H, xrefs: 001708BD

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 0193104ad6a9c99eccc5d10ba0e21631153d256ee3c57c6191e5f559757d011a
Instruction ID: aa2162b731ebbfd8ba0a450f220d691fad7fa0d55bbc1bca23acba04662224ae
Opcode Fuzzy Hash: 0193104ad6a9c99eccc5d10ba0e21631153d256ee3c57c6191e5f559757d011a
Instruction Fuzzy Hash: 93A11632A10244CFDF1A9F68D855BAD3BB0AB1A324F14815DF8599F392CB319D16CB91

Function 0013344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00133A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00201418,?,00132E7F,?,?,?,00000000), ref: 00133A78

Part of subcall function 00133357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00133379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0013356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0017318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001731CE
RegCloseKey.ADVAPI32(?), ref: 00173210
_wcslen.LIBCMT ref: 00173277
_wcslen.LIBCMT ref: 00173286

Strings

Include, xrefs: 00173184, 001731C5
Software\AutoIt v3\AutoIt, xrefs: 00133560
\, xrefs: 0017328C
\Include\, xrefs: 00133527

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: c01c6f365d1c208491197acb361da1a1c1fa1ec383f684889ee1b5bf178d81e9
Instruction ID: 95544b34bc0e5ceda1fee6e6365bc7c0ffb7539af70b97c16e1d5c713864a84a
Opcode Fuzzy Hash: c01c6f365d1c208491197acb361da1a1c1fa1ec383f684889ee1b5bf178d81e9
Instruction Fuzzy Hash: 40719F71404301DEC304EF65EC8A95BBBF8FFA4740F40486EF559971A2EB749A48CB52

Function 00132B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00132B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00132B9D
LoadIconW.USER32(00000063), ref: 00132BB3
LoadIconW.USER32(000000A4), ref: 00132BC5
LoadIconW.USER32(000000A2), ref: 00132BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00132BEF
RegisterClassExW.USER32(?), ref: 00132C40

Part of subcall function 00132CD4: GetSysColorBrush.USER32(0000000F), ref: 00132D07
Part of subcall function 00132CD4: RegisterClassExW.USER32(00000030), ref: 00132D31
Part of subcall function 00132CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00132D42
Part of subcall function 00132CD4: InitCommonControlsEx.COMCTL32(?), ref: 00132D5F
Part of subcall function 00132CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00132D6F
Part of subcall function 00132CD4: LoadIconW.USER32(000000A9), ref: 00132D85
Part of subcall function 00132CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00132D94

Strings

AutoIt v3, xrefs: 00132C2F
0, xrefs: 00132C0F
#, xrefs: 00132C16

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b708283e62a9c7032bb75d76f7811dc3e075d00f670b3659dd343e9d48da1bad
Instruction ID: 994271c3fe7f04397ef86143548cf2682e309df8428a8f49b155ee4ddc93ba63
Opcode Fuzzy Hash: b708283e62a9c7032bb75d76f7811dc3e075d00f670b3659dd343e9d48da1bad
Instruction Fuzzy Hash: BB212970E00318ABDB109FA5FC59BA97FF4FB48B50F04009AF504A66A1D7B14960CF94

Function 0013B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0013BB4E

Strings

p% , xrefs: 0013BB32
x# , xrefs: 00180168
p# , xrefs: 0018024F
p% , xrefs: 0013B8DC
p# , xrefs: 0013BA72
p# , xrefs: 00180263
x# , xrefs: 00180207
p# , xrefs: 0013BB6B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p# $p# $p# $p# $p% $p% $x# $x#
API String ID: 1385522511-2698135208
Opcode ID: c0a3f7d8142c060438507fb0c66094850852d43a6ea2e15f131d010be39c92d0
Instruction ID: bc14f44b138cd61465c5f4e8564aa7dc3fb90e4add86c179fef1d5921e983943
Opcode Fuzzy Hash: c0a3f7d8142c060438507fb0c66094850852d43a6ea2e15f131d010be39c92d0
Instruction Fuzzy Hash: 5432FF70A04209DFDB25DF54C888BBEB7B5FF48310F15805AEA05AB2A1E774EE45CB91

Function 00133170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0013316A,?,?), ref: 001331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0013316A,?,?), ref: 00133204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00133227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0013316A,?,?), ref: 00133232
CreatePopupMenu.USER32 ref: 00133246
PostQuitMessage.USER32(00000000), ref: 00133267

Strings

TaskbarCreated, xrefs: 0013322D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: a453c098835b0ca9eab2935a3bb1cad67d75d8844ed3617c99b8df16adabdf2d
Instruction ID: c3b1b362ed9fea80a5c6a29af79a5c3493b61b4b1f0ed72b2e1d3c5f8f446706
Opcode Fuzzy Hash: a453c098835b0ca9eab2935a3bb1cad67d75d8844ed3617c99b8df16adabdf2d
Instruction Fuzzy Hash: 25416935610304ABDF282B78ED0DF7A3A29EB05340F044125F52A866E2CB71CEA197A9

Function 00131410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00131459
CoUninitialize.COMBASE ref: 001314F8
UnregisterHotKey.USER32(?), ref: 001316DD
DestroyWindow.USER32(?), ref: 001724B9
FreeLibrary.KERNEL32(?), ref: 0017251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0017254B

Strings

close all, xrefs: 00131454

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: c17517d35b4dc01c9469445713e89060c4bba25c004364998f580b6269972001
Instruction ID: fcd33cd21fa0784c7f5222181e74cb85aa3dfd928b35a198f55204d374fe4a92
Opcode Fuzzy Hash: c17517d35b4dc01c9469445713e89060c4bba25c004364998f580b6269972001
Instruction Fuzzy Hash: A3D147317012129FCB29EF54C999A69F7B4BF15700F1582ADE84A6B262DB30ED13CF91

Function 00132C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00132C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00132CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00131CAD,?), ref: 00132CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00131CAD,?), ref: 00132CCF

Strings

edit, xrefs: 00132CAC
AutoIt v3, xrefs: 00132C89, 00132C8E, 00132C8F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 998f6763a5d7846f5031b225f0629136b1a4ef74c6c1a8e760e38b4730afea76
Instruction ID: 088d444500af24a66ecea9d6b5f43bb04904bc88888d1e739d357f6caafd9b01
Opcode Fuzzy Hash: 998f6763a5d7846f5031b225f0629136b1a4ef74c6c1a8e760e38b4730afea76
Instruction Fuzzy Hash: B0F0DA755403907AEB311717BC0DE773EBDD7C6F50B00109EF904A29A1C6715C61DAB0

Function 00133B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00133B0F,SwapMouseButtons,00000004,?), ref: 00133B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00133B0F,SwapMouseButtons,00000004,?), ref: 00133B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00133B0F,SwapMouseButtons,00000004,?), ref: 00133B83

Strings

Control Panel\Mouse, xrefs: 00133B3E

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: dd9008b10b80f2bcbf13617e404ba862e39edca43a59bb26439c4d48af7b569c
Instruction ID: 2c1b24e2b059aee572532e5fb89cf6c8381a4c2305bbbb396d5d5f5cc7bf84b8
Opcode Fuzzy Hash: dd9008b10b80f2bcbf13617e404ba862e39edca43a59bb26439c4d48af7b569c
Instruction Fuzzy Hash: 3F1127B5610208FFDB218FA5DC84EAEBBB8EF44744F10846AF815E7114E331DE509BA4

Function 00133923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001733A2

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00133A04

Strings

Line: , xrefs: 001733EB

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 1268058742dc680635788eb46d829bb99a65183deca1372dfd400b6b88b21008
Instruction ID: 0177edafdd93c7c0ad406b9458f70fd5e97b825be9f9bb3cf86a658ebe977ad2
Opcode Fuzzy Hash: 1268058742dc680635788eb46d829bb99a65183deca1372dfd400b6b88b21008
Instruction Fuzzy Hash: FE31D271408304EBC725EB20DC49BEBB7E8AF54714F00856EF5A983092EB709A59C7C6

Function 0014FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00150668

Part of subcall function 001532A4: RaiseException.KERNEL32(?,?,?,0015068A,?,00201444,?,?,?,?,?,?,0015068A,00131129,001F8738,00131129), ref: 00153304

__CxxThrowException@8.LIBVCRUNTIME ref: 00150685

Strings

Unknown exception, xrefs: 00150692

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 7623d9ecbc3d50f374c2b7bb4fbd3c2b9fbf5fb0673f7ae91002260d9ec7623a
Instruction ID: c071c3c5652a783d88b207355c3c0d96ff1578a9b44f6f1a3761567617d9c17d
Opcode Fuzzy Hash: 7623d9ecbc3d50f374c2b7bb4fbd3c2b9fbf5fb0673f7ae91002260d9ec7623a
Instruction Fuzzy Hash: 21F0223090020DF3CB04BAE4D846CAE7B6C5E10351B604534BD34DA5E1EFB1DA6EC580

Function 001310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00131BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00131BF4
Part of subcall function 00131BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00131BFC
Part of subcall function 00131BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00131C07
Part of subcall function 00131BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00131C12
Part of subcall function 00131BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00131C1A
Part of subcall function 00131BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00131C22

Part of subcall function 00131B4A: RegisterWindowMessageW.USER32(00000004,?,001312C4), ref: 00131BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0013136A
OleInitialize.OLE32 ref: 00131388
CloseHandle.KERNEL32(00000000,00000000), ref: 001724AB

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 6686faa80eb438f7dc77c8e925b230cbad823c371a0d35da168fd06273efdd06
Instruction ID: 8702dceb551304eca0f81b77187a9062d2cbfa6550d3d54d41fe3f35c69dfd11
Opcode Fuzzy Hash: 6686faa80eb438f7dc77c8e925b230cbad823c371a0d35da168fd06273efdd06
Instruction Fuzzy Hash: 647199B49113008FD388EF79BD89A557EE4FB98354794822EE04ADB2B3EB308565CF41

Function 0019C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00133923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00133A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0019C259
KillTimer.USER32(?,00000001,?,?), ref: 0019C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0019C270

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: b0a3be82af7d0abcc3e0d80925b055a94126bc9c2e4a9345fb8d8283b20a9e7f
Instruction ID: 320384c19b16bcf57e5228401b6d990e22bf4f9fe8a26360cbb4974de498ce28
Opcode Fuzzy Hash: b0a3be82af7d0abcc3e0d80925b055a94126bc9c2e4a9345fb8d8283b20a9e7f
Instruction Fuzzy Hash: 3E319370904384AFEF229F648855BE7BBECAB16308F00449AD5DE97241C7746A84CB91

Function 001686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001685CC,?,001F8CC8,0000000C), ref: 00168704
GetLastError.KERNEL32(?,001685CC,?,001F8CC8,0000000C), ref: 0016870E
__dosmaperr.LIBCMT ref: 00168739

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 5d339fc588a8fdb0c5cfad099be66ccd55b11b6ffefd489fddb8a73ed05e1be4
Instruction ID: 3aeb1add48dbb616afbee2e57741e41899dcd26d1240a86caefec638595fda5b
Opcode Fuzzy Hash: 5d339fc588a8fdb0c5cfad099be66ccd55b11b6ffefd489fddb8a73ed05e1be4
Instruction Fuzzy Hash: 5D014933A0566026D7346338EC49B7E6B4A5B92B74F390319F9188B2D3DFA0CC918190

Function 0013DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0013DB7B
DispatchMessageW.USER32(?), ref: 0013DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0013DB9F
Sleep.KERNELBASE(0000000A), ref: 0013DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00181CC9

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 9620b6aaf8806d2e5278365d7303ca80ff039e3fe2e927d67bc4efc2ff6c63ab
Instruction ID: f7a263aa8e6e72fcc00cbda15b878704a8d2f460ccba686b51d9ad60c1f95ad9
Opcode Fuzzy Hash: 9620b6aaf8806d2e5278365d7303ca80ff039e3fe2e927d67bc4efc2ff6c63ab
Instruction Fuzzy Hash: 72F05E316443809BE730DBA0EC89FAA77BCEB45310F104918E60A834D0DB30A5988F55

Function 00141310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001417F6

Strings

CALL, xrefs: 001417C6

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 12c9f9021387e1e512ac42ed10cc4f8fdffd6d9bb1c8c3c955855b1953fd401e
Instruction ID: 1f34546c9756e1c06f65afda9c1aa7d6bef4d263594e90689c85725dd204cb70
Opcode Fuzzy Hash: 12c9f9021387e1e512ac42ed10cc4f8fdffd6d9bb1c8c3c955855b1953fd401e
Instruction Fuzzy Hash: 3A227A70608301AFC714DF14C494B6ABBF1BF95314F19895DF89A8B3A2D771E985CB82

Function 00132DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00172C8C

Part of subcall function 00133AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00133A97,?,?,00132E7F,?,?,?,00000000), ref: 00133AC2

Part of subcall function 00132DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00132DC4

Strings

X, xrefs: 00172C5A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: cd32f1270e56024eff2482e576c84808cdb21da671942f8c23d6a32340f318f6
Instruction ID: cf4e6b013f348d343312d1ba5c1ec3ca80eea996eaada8e81cae90d3d9ade3e0
Opcode Fuzzy Hash: cd32f1270e56024eff2482e576c84808cdb21da671942f8c23d6a32340f318f6
Instruction Fuzzy Hash: 3821A571A0025C9FDB01EF94C849BEE7BF8AF59304F008059E509B7241DBB45A898FA1

Function 00133837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00133908

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 16360b1fbdbf2371aac83b99e7d8ff4a93bcb687cada86e62b717faca9804e75
Instruction ID: bf2d229363a9a796afb87c9b19d6b8afdd99b1c2a260f7be30155f74ac6ef71c
Opcode Fuzzy Hash: 16360b1fbdbf2371aac83b99e7d8ff4a93bcb687cada86e62b717faca9804e75
Instruction Fuzzy Hash: 8A31B470504301DFD720DF24D888797BBF8FB49709F00096EF5A987281E771AA54CB96

Function 0014F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0014F661

Part of subcall function 0013D730: GetInputState.USER32 ref: 0013D807

Sleep.KERNEL32(00000000), ref: 0018F2DE

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: b0869ccb86b72a2cf662e1702ce8627fe1d82a4617095d8e26fb208eb34e4352
Instruction ID: 1905fc29ca23dd37d61cbadd41a600f27d3865c47c4bbf42ddf1320895373726
Opcode Fuzzy Hash: b0869ccb86b72a2cf662e1702ce8627fe1d82a4617095d8e26fb208eb34e4352
Instruction Fuzzy Hash: A0F08C312442059FD314EF69E449F6ABBE8EF55760F000029E85DC73A0EB70AC40CB90

Function 00134ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00134E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00134EDD,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134E9C
Part of subcall function 00134E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00134EAE
Part of subcall function 00134E90: FreeLibrary.KERNEL32(00000000,?,?,00134EDD,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134EFD

Part of subcall function 00134E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00173CDE,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134E62
Part of subcall function 00134E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00134E74
Part of subcall function 00134E59: FreeLibrary.KERNEL32(00000000,?,?,00173CDE,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134E87

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 9ad45c36a25caeb3cb759b685dcc4d18c988cf48960b5e40dd9178a988d3232f
Instruction ID: 0091a6398a984ade8314ad1b03846d52c28938e7c31d55ec8a6c5ddf09068e00
Opcode Fuzzy Hash: 9ad45c36a25caeb3cb759b685dcc4d18c988cf48960b5e40dd9178a988d3232f
Instruction Fuzzy Hash: 11112332600205ABCB14AB68DC02FAD77A9AF60B10F14842EF542AA1C1EF74EE059B90

Function 00168402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00168440

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 43aa9bcb56a0076a663d050ead42864111de74b8790bd08da73ee7e7309a4e9d
Instruction ID: 766c1bfb3d017f580bac24ef364d4a48ce6cf92bab02ae6f240ed5ca2b3ed86d
Opcode Fuzzy Hash: 43aa9bcb56a0076a663d050ead42864111de74b8790bd08da73ee7e7309a4e9d
Instruction Fuzzy Hash: 6A11187590420AAFCB05DF58E941A9A7BF5EF48314F118199F808AB312DB31EA21CBA5

Function 00165000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00164C7D: RtlAllocateHeap.NTDLL(00000008,00131129,00000000,?,00162E29,00000001,00000364,?,?,?,0015F2DE,00163863,00201444,?,0014FDF5,?), ref: 00164CBE

_free.LIBCMT ref: 0016506C

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 9078ee1a4e9d3fece89c9d3060e31a1380af72247637bd051e9404644eefc6a0
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 750122722047056BE3218F69DC81A9AFBE9FB89370F25062DF19483280EB30A805C6B4

Function 0015E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 24329932d0a050ad57b194eeb89ee0011428d0d67428a422fc3abf4bd3c08329
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 81F02832910E10DBC7393A699C05B5A33D99F723B7F100719FC319B1D2DB70D90A8AA5

Function 00164C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00131129,00000000,?,00162E29,00000001,00000364,?,?,?,0015F2DE,00163863,00201444,?,0014FDF5,?), ref: 00164CBE

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 25b9635e2749d620fad664bce3aaf99d3592fa5aabb4aede2bb7596de2ea5d5d
Instruction ID: 984c41ac65ba32c4eb262cbcaa03a1021064a57534461900ec1a47b9496cb4d8
Opcode Fuzzy Hash: 25b9635e2749d620fad664bce3aaf99d3592fa5aabb4aede2bb7596de2ea5d5d
Instruction Fuzzy Hash: 51F0E931602224A7DB215F669C09F5A3788BF917A1B154115FC19EA381CB70DC2196E0

Function 00163820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00201444,?,0014FDF5,?,?,0013A976,00000010,00201440,001313FC,?,001313C6,?,00131129), ref: 00163852

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2cd60464548c79f5d54f25e0f2e6958db5b1603dd6a02d883ecffad8eacad833
Instruction ID: 8366b40dfcc4891d398bb3dda61628d346a9c90651fb9d58acf00cda1d15f733
Opcode Fuzzy Hash: 2cd60464548c79f5d54f25e0f2e6958db5b1603dd6a02d883ecffad8eacad833
Instruction Fuzzy Hash: 0BE0E53110122497E62126679C05BDA364DAB427B1F050225BC35978D1CB60DD2282E0

Function 00134F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134F6D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 322055988f4e232906af2b0c93a1191500c2b9985907ed24c506a750b92802a6
Instruction ID: 3bbff4fb9abc74aa4d8136b1b7953b4ff681e86bbc4f60ab3cc82697c728df7a
Opcode Fuzzy Hash: 322055988f4e232906af2b0c93a1191500c2b9985907ed24c506a750b92802a6
Instruction Fuzzy Hash: BDF03071505751CFDB389F69D490812BBE8EF1432971989BEE1EA82611C731A844DF50

Function 001C2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001C2A66

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: cbed21adb35cc4a8adbc5fcd897e68a214a5086ceb0e23df5b29f9f0542309fd
Instruction ID: 58f34ac98910004133bab39be16792c147b30bf5d4d1882e457eed9dbbba24be
Opcode Fuzzy Hash: cbed21adb35cc4a8adbc5fcd897e68a214a5086ceb0e23df5b29f9f0542309fd
Instruction Fuzzy Hash: 55E04F36754116ABCB14EB34DC80EFA775CEB70395B10453AEC2AC3500DB30D99596E0

Function 001330F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0013314E

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: a68fc936ef92c0d75f2009e2628629b43c8724158b9888b725499167e5ef2974
Instruction ID: 463670ed44cf87356f99c4b21a333e37376d8dbb7379e26cf7b65032f6cbe1f8
Opcode Fuzzy Hash: a68fc936ef92c0d75f2009e2628629b43c8724158b9888b725499167e5ef2974
Instruction Fuzzy Hash: 4EF037709143149FE7529B24EC497D57BBCA705708F0440E5A54896192D7745B98CF91

Function 00132DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00132DC4

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: fd6fb75de5ed66bd991cf5a3466e0b3523182c8e9b3e9cd519d6df853fef70e5
Instruction ID: eedd07a54f37493997b4b9a44e94d3f60a71276f82090b08f6b2fdfd866ebb38
Opcode Fuzzy Hash: fd6fb75de5ed66bd991cf5a3466e0b3523182c8e9b3e9cd519d6df853fef70e5
Instruction Fuzzy Hash: A9E0CD72A001246BC71092589C05FDA77EDDFC8790F044071FD0DD7248DA60ED848690

Function 00132B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00133837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00133908

Part of subcall function 0013D730: GetInputState.USER32 ref: 0013D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00132B6B

Part of subcall function 001330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0013314E

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 9177028ca434d6d93686a21007439ea590e5777b57f0ae39536f4d5b00735504
Instruction ID: 154dd4ed2bbca783330f89c3033a0618dda56045a19e56ec52c835aa68dfd1f5
Opcode Fuzzy Hash: 9177028ca434d6d93686a21007439ea590e5777b57f0ae39536f4d5b00735504
Instruction Fuzzy Hash: B3E02C2230424802CA08BB70B8528ADBB499BF1321F40157EF192831B3CF208AA98252

Function 0017039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00170704,?,?,00000000,?,00170704,00000000,0000000C), ref: 001703B7

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 58f8882c27ad7bc1d4d39116f5b2ef45b6d1c8a25ca773e185e65905d989f6ed
Instruction ID: 76d23c251ee0a7430b70fb7143802aac241952d4a33ea09ac28d9ccb1667152e
Opcode Fuzzy Hash: 58f8882c27ad7bc1d4d39116f5b2ef45b6d1c8a25ca773e185e65905d989f6ed
Instruction Fuzzy Hash: AFD06C3204010DFBDF029F85DD06EDA3FAAFB48714F014000FE1856420C732E861AB91

Function 00131CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00131CBC

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: eb94680362c6e7533870ea3740dd500c4f7bc5306296d0b7e3ec853605610fff
Instruction ID: 002d407696461cda05d488e07cdde7ac23587d229b3a4f35af1255dbc3f49bf1
Opcode Fuzzy Hash: eb94680362c6e7533870ea3740dd500c4f7bc5306296d0b7e3ec853605610fff
Instruction Fuzzy Hash: 8CC09236380305EFF3188B80BC4EF147B64A348B00F448002F60DA99E3C3A26861EA94

Non-executed Functions

Function 001C9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001C961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001C965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001C969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001C96C9
SendMessageW.USER32 ref: 001C96F2
GetKeyState.USER32(00000011), ref: 001C978B
GetKeyState.USER32(00000009), ref: 001C9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001C97AE
GetKeyState.USER32(00000010), ref: 001C97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001C97E9
SendMessageW.USER32 ref: 001C9810
SendMessageW.USER32(?,00001030,?,001C7E95), ref: 001C9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001C992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001C9941
SetCapture.USER32(?), ref: 001C994A
ClientToScreen.USER32(?,?), ref: 001C99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001C99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001C99D6
ReleaseCapture.USER32 ref: 001C99E1
GetCursorPos.USER32(?), ref: 001C9A19
ScreenToClient.USER32(?,?), ref: 001C9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 001C9A80
SendMessageW.USER32 ref: 001C9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 001C9AEB
SendMessageW.USER32 ref: 001C9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001C9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 001C9B4A
GetCursorPos.USER32(?), ref: 001C9B68
ScreenToClient.USER32(?,?), ref: 001C9B75
GetParent.USER32(?), ref: 001C9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 001C9BFA
SendMessageW.USER32 ref: 001C9C2B
ClientToScreen.USER32(?,?), ref: 001C9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001C9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 001C9CDE
SendMessageW.USER32 ref: 001C9D01
ClientToScreen.USER32(?,?), ref: 001C9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001C9D82

Part of subcall function 00149944: GetWindowLongW.USER32(?,000000EB), ref: 00149952

GetWindowLongW.USER32(?,000000F0), ref: 001C9E05

Strings

p# , xrefs: 001C9990
@GUI_DRAGID, xrefs: 001C997D
F, xrefs: 001C9D07

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#
API String ID: 3429851547-3496453445
Opcode ID: 37f1aa558166adaf6cc8ffe98f8e39b08ea641b00602364f25820cc661affdc6
Instruction ID: 07a3d3e3017a26e3a48615be3b7aa091a252a96b12208eb74276bdc86f6cba0d
Opcode Fuzzy Hash: 37f1aa558166adaf6cc8ffe98f8e39b08ea641b00602364f25820cc661affdc6
Instruction Fuzzy Hash: BC427875204251AFDB24CF64C888FAABBE5EF68310F10061DF699876A1D731E960CF92

Function 001C4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001C48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001C4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001C4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001C494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001C495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001C497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001C49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001C49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001C4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001C4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001C4A7E
IsMenu.USER32(?), ref: 001C4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001C4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001C4B20
GetWindowLongW.USER32(?,000000F0), ref: 001C4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001C4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001C4C82
wsprintfW.USER32 ref: 001C4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001C4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 001C4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001C4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001C4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 001C4D5A

Strings

%d/%02d/%02d, xrefs: 001C4CA8

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 4564c36cbc956940f86c2944d7573cfb6029f1567d2bc30420a6278c31dd24f3
Instruction ID: 632baeaffc223406b3cf8783e2aa31a32c8db21b4820ed3e37cea829a3dcc3bd
Opcode Fuzzy Hash: 4564c36cbc956940f86c2944d7573cfb6029f1567d2bc30420a6278c31dd24f3
Instruction Fuzzy Hash: D612ED71A04254ABEB248F68CC59FEE7BB8AF65310F10412DF51AEB2E1DB74D941CB90

Function 0014F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0014F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0018F474
IsIconic.USER32(00000000), ref: 0018F47D
ShowWindow.USER32(00000000,00000009), ref: 0018F48A
SetForegroundWindow.USER32(00000000), ref: 0018F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0018F4AA
GetCurrentThreadId.KERNEL32 ref: 0018F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0018F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0018F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0018F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0018F4DE
SetForegroundWindow.USER32(00000000), ref: 0018F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0018F4F6
keybd_event.USER32(00000012,00000000), ref: 0018F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0018F50B
keybd_event.USER32(00000012,00000000), ref: 0018F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0018F519
keybd_event.USER32(00000012,00000000), ref: 0018F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0018F528
keybd_event.USER32(00000012,00000000), ref: 0018F52D
SetForegroundWindow.USER32(00000000), ref: 0018F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0018F557

Strings

Shell_TrayWnd, xrefs: 0018F46F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: bd85e1a13eada3a009d0b93330a331e323df2f24c2b4768021a78c2eb0818b71
Instruction ID: dd3a67216aaca2ead4ffafae09ce07480bcd5a32f0f2e7a52b8cd0ef44a36db8
Opcode Fuzzy Hash: bd85e1a13eada3a009d0b93330a331e323df2f24c2b4768021a78c2eb0818b71
Instruction Fuzzy Hash: 52315271B40218BBEB206BB55C4AFBF7E6CEB44B50F11002AF605E61D1C7B09E41AFA0

Function 00191201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0019170D
Part of subcall function 001916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0019173A
Part of subcall function 001916C3: GetLastError.KERNEL32 ref: 0019174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00191286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001912A8
CloseHandle.KERNEL32(?), ref: 001912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001912D1
GetProcessWindowStation.USER32 ref: 001912EA
SetProcessWindowStation.USER32(00000000), ref: 001912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00191310

Part of subcall function 001910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001911FC), ref: 001910D4
Part of subcall function 001910BF: CloseHandle.KERNEL32(?,?,001911FC), ref: 001910E9

Strings

, xrefs: 0019125A
winsta0, xrefs: 001912CC
default, xrefs: 0019130B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 6012f3239aa3cf5d10b9234c4b266a3952822aac71902fe32bb2b338b408103f
Instruction ID: 73e58df042644f7e51b301cab0265fe3ed32d81a97300a33a463a88d9592bffe
Opcode Fuzzy Hash: 6012f3239aa3cf5d10b9234c4b266a3952822aac71902fe32bb2b338b408103f
Instruction Fuzzy Hash: 84818A7190020ABFEF219FA4DC49FEE7BB9EF08704F144129FA15A62A0C7318995CB61

Function 00190B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00191114
Part of subcall function 001910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 00191120
Part of subcall function 001910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 0019112F
Part of subcall function 001910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 00191136
Part of subcall function 001910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0019114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00190BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00190C00
GetLengthSid.ADVAPI32(?), ref: 00190C17
GetAce.ADVAPI32(?,00000000,?), ref: 00190C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00190C6D
GetLengthSid.ADVAPI32(?), ref: 00190C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00190C8C
HeapAlloc.KERNEL32(00000000), ref: 00190C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00190CB4
CopySid.ADVAPI32(00000000), ref: 00190CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00190CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00190D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00190D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00190D45
HeapFree.KERNEL32(00000000), ref: 00190D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00190D55
HeapFree.KERNEL32(00000000), ref: 00190D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00190D65
HeapFree.KERNEL32(00000000), ref: 00190D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00190D78
HeapFree.KERNEL32(00000000), ref: 00190D7F

Part of subcall function 00191193: GetProcessHeap.KERNEL32(00000008,00190BB1,?,00000000,?,00190BB1,?), ref: 001911A1
Part of subcall function 00191193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00190BB1,?), ref: 001911A8
Part of subcall function 00191193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00190BB1,?), ref: 001911B7

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9e4b20eecf7e9d67153ad76731e97f91adc4c376aba4b3e17d8d7fba56d40535
Instruction ID: 3e8bd2158ad85ec7e5751bf1d4c0f5f3fc28f8226994971c0bc847cb04d5df87
Opcode Fuzzy Hash: 9e4b20eecf7e9d67153ad76731e97f91adc4c376aba4b3e17d8d7fba56d40535
Instruction Fuzzy Hash: C771467690020AAFDF119FE5DC48FAEBBB8AF08314F044555F918A6291D771EE45CBA0

Function 001AEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(001CCC08), ref: 001AEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 001AEB37
GetClipboardData.USER32(0000000D), ref: 001AEB43
CloseClipboard.USER32 ref: 001AEB4F
GlobalLock.KERNEL32(00000000), ref: 001AEB87
CloseClipboard.USER32 ref: 001AEB91
GlobalUnlock.KERNEL32(00000000), ref: 001AEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 001AEBC9
GetClipboardData.USER32(00000001), ref: 001AEBD1
GlobalLock.KERNEL32(00000000), ref: 001AEBE2
GlobalUnlock.KERNEL32(00000000), ref: 001AEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 001AEC38
GetClipboardData.USER32(0000000F), ref: 001AEC44
GlobalLock.KERNEL32(00000000), ref: 001AEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001AEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001AEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001AECD2
GlobalUnlock.KERNEL32(00000000), ref: 001AECF3
CountClipboardFormats.USER32 ref: 001AED14
CloseClipboard.USER32 ref: 001AED59

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 3859e74ab347bb24c0772e39064bfc9658a5bad8d5173504512e9774efc99b15
Instruction ID: d2ff0a7a12362f1e16a76f58c36c610a7b9734ec294f053e81f972f6257ff009
Opcode Fuzzy Hash: 3859e74ab347bb24c0772e39064bfc9658a5bad8d5173504512e9774efc99b15
Instruction Fuzzy Hash: 0261E038204301AFD300EF64D889F6ABBE4AF95714F04455DF45A976A2CB31ED86CBA2

Function 001A698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001A69BE
FindClose.KERNEL32(00000000), ref: 001A6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001A6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001A6A75

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 001A6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 001A6ADF

Strings

%03d, xrefs: 001A6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 001A6B32
%4d, xrefs: 001A6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 001A6B6A
%02d, xrefs: 001A6C00, 001A6C0A, 001A6C5A, 001A6CAA, 001A6CFA, 001A6D4A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: e742db4d21950c681364c001279ba7ed55527ff577b8678aa9f26f8060aecb4b
Instruction ID: d6871e378993644abb71b067c7e7bbebf54564e1f41042d6daf5557f3a7c1df6
Opcode Fuzzy Hash: e742db4d21950c681364c001279ba7ed55527ff577b8678aa9f26f8060aecb4b
Instruction Fuzzy Hash: 39D183B2508304AFC314EBA4C885EAFB7ECAF99704F04491DF589D7291EB74DA44CB62

Function 001A9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 001A9663
GetFileAttributesW.KERNEL32(?), ref: 001A96A1
SetFileAttributesW.KERNEL32(?,?), ref: 001A96BB
FindNextFileW.KERNEL32(00000000,?), ref: 001A96D3
FindClose.KERNEL32(00000000), ref: 001A96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001A96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 001A974A
SetCurrentDirectoryW.KERNEL32(001F6B7C), ref: 001A9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 001A9772
FindClose.KERNEL32(00000000), ref: 001A977F
FindClose.KERNEL32(00000000), ref: 001A978F

Strings

*.*, xrefs: 001A96F5

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 3895403aacff668c79a87685adc6d976e48a7cced621bd0b135c412b1010300f
Instruction ID: 21e0c5935299c21ac2dce6e675039fa5238774aa6dbaf5e200960fac6a8d1352
Opcode Fuzzy Hash: 3895403aacff668c79a87685adc6d976e48a7cced621bd0b135c412b1010300f
Instruction Fuzzy Hash: B631B336640219AADB14EFF4EC49EEE77ACAF4A321F144155F919E2090DB34DDC48FA4

Function 001A979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 001A97BE
FindNextFileW.KERNEL32(00000000,?), ref: 001A9819
FindClose.KERNEL32(00000000), ref: 001A9824
FindFirstFileW.KERNEL32(*.*,?), ref: 001A9840
SetCurrentDirectoryW.KERNEL32(?), ref: 001A9890
SetCurrentDirectoryW.KERNEL32(001F6B7C), ref: 001A98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001A98B8
FindClose.KERNEL32(00000000), ref: 001A98C5
FindClose.KERNEL32(00000000), ref: 001A98D5

Part of subcall function 0019DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0019DB00

Strings

*.*, xrefs: 001A983B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 97b0bc20aa8509e9b5d510c29c2529c3b34de9908894cab68b9aacd8a6097561
Instruction ID: bcbd38cab0f9da35e0af8e6e1d234daef2aee2946a1a23fc70e5d41832a6cad0
Opcode Fuzzy Hash: 97b0bc20aa8509e9b5d510c29c2529c3b34de9908894cab68b9aacd8a6097561
Instruction Fuzzy Hash: 6131C13550021DAADB10EFB4EC48EEE77ACAF07320F144195E954A2091DB38DEC98F64

Function 001BBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BB6AE,?,?), ref: 001BC9B5
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BC9F1
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA68
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 001BBFA9
RegCloseKey.ADVAPI32(00000000), ref: 001BBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001BC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001BC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001BC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001BC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 001BC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001BC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001BC382
RegCloseKey.ADVAPI32(00000000), ref: 001BC38F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: fea8cd931c70d2f7730aced3d64a2bad7d54f45f55d84dcc3f14c2d45bb5feab
Instruction ID: d0ec14c4898a6ab29c45f4fbf4cc2b759acaca244d7ea7166ee7b780dccc4c4c
Opcode Fuzzy Hash: fea8cd931c70d2f7730aced3d64a2bad7d54f45f55d84dcc3f14c2d45bb5feab
Instruction Fuzzy Hash: E2024B71604200AFD714DF28C891E6ABBE5BF89318F59849DF84ADB2A2D731EC45CB91

Function 001A8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001A8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 001A8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001A8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001A8310
SetCurrentDirectoryW.KERNEL32(?), ref: 001A8324
SetCurrentDirectoryW.KERNEL32(?), ref: 001A8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001A838C
SetCurrentDirectoryW.KERNEL32(?), ref: 001A8395

Strings

*.*, xrefs: 001A839B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 57419e7638d08dd5fedbb665897a3ec2de0b3d2326a9fec00f94f9bc2638ea85
Instruction ID: 2e9c6fa7a4b89a75583332aff5e91ca9efe9604d20869059238d202ce8509650
Opcode Fuzzy Hash: 57419e7638d08dd5fedbb665897a3ec2de0b3d2326a9fec00f94f9bc2638ea85
Instruction Fuzzy Hash: 58618B765083059FCB10EF64D840AAEB7E8FF99310F04881EF999C7251EB31E945CB92

Function 0019D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00133AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00133A97,?,?,00132E7F,?,?,?,00000000), ref: 00133AC2

Part of subcall function 0019E199: GetFileAttributesW.KERNEL32(?,0019CF95), ref: 0019E19A

FindFirstFileW.KERNEL32(?,?), ref: 0019D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0019D1DD
MoveFileW.KERNEL32(?,?), ref: 0019D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0019D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0019D237

Part of subcall function 0019D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0019D21C,?,?), ref: 0019D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0019D253
FindClose.KERNEL32(00000000), ref: 0019D264

Strings

\*.*, xrefs: 0019D0CD, 0019D0D6, 0019D0EB

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 54ce1dd540735c1aa3a99bea5a75adce4d8b0b826e0bde9dec3efbb9efffe17b
Instruction ID: 532c460b8ff2e22277f887011fb795e53745760c02acf822809f2e0ea9110f02
Opcode Fuzzy Hash: 54ce1dd540735c1aa3a99bea5a75adce4d8b0b826e0bde9dec3efbb9efffe17b
Instruction Fuzzy Hash: B2616C31C0510DAFCF05EBE0EA929EDBBB5AF65300F6441A5E446771A1EB30AF09CB60

Function 001AED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001AED91
EmptyClipboard.USER32 ref: 001AED97
GlobalAlloc.KERNEL32(00000002,?), ref: 001AEDAC
CloseClipboard.USER32 ref: 001AEEA3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f9195811df34be95c83f82ac814d882f1011326e8285b6a840c8f8016ae16a38
Instruction ID: d13b468accfaad7f7657dae6c3bcbc0ad27400045ee0190deaba1b54bf4d4e7c
Opcode Fuzzy Hash: f9195811df34be95c83f82ac814d882f1011326e8285b6a840c8f8016ae16a38
Instruction Fuzzy Hash: 0B417B39604611AFE720DF19E888F19BBE5EF45319F14C099E4198BB62C735EC82CBD0

Function 0019E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0019170D
Part of subcall function 001916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0019173A
Part of subcall function 001916C3: GetLastError.KERNEL32 ref: 0019174A

ExitWindowsEx.USER32(?,00000000), ref: 0019E932

Strings

SeShutdownPrivilege, xrefs: 0019E902
, xrefs: 0019E95C
, xrefs: 0019E920
@, xrefs: 0019E925

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 1fd375eb3bb6c8cac3b532e41f703fcabcae74f92f569098b3cb9853703a0d9e
Instruction ID: 39842bff269ae724ad16dba8f8b5813d3bf5845b815aacf483a11b0d5937b588
Opcode Fuzzy Hash: 1fd375eb3bb6c8cac3b532e41f703fcabcae74f92f569098b3cb9853703a0d9e
Instruction Fuzzy Hash: FD01D672A10211AFEF54A6B4DC86FBB76ACA714758F150421FD03E21D1DBA19C8085D0

Function 001B1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001B1276
WSAGetLastError.WSOCK32 ref: 001B1283
bind.WSOCK32(00000000,?,00000010), ref: 001B12BA
WSAGetLastError.WSOCK32 ref: 001B12C5
closesocket.WSOCK32(00000000), ref: 001B12F4
listen.WSOCK32(00000000,00000005), ref: 001B1303
WSAGetLastError.WSOCK32 ref: 001B130D
closesocket.WSOCK32(00000000), ref: 001B133C

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: a2cd64acef6f2df838106e910fc2c1c06284b53f908917f01a942b05d1cf2c7a
Instruction ID: e23ee6317068938a341380531dd3849ac5ce1aaeb0542ef7fc263b28a678916a
Opcode Fuzzy Hash: a2cd64acef6f2df838106e910fc2c1c06284b53f908917f01a942b05d1cf2c7a
Instruction Fuzzy Hash: 4B41B531600100AFD710DF64C494B6ABBE6BF46314F698098D8569F3D2C771ED81CBE0

Function 0016B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0016B9D4
_free.LIBCMT ref: 0016B9F8
_free.LIBCMT ref: 0016BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001D3700), ref: 0016BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0020121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0016BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00201270,000000FF,?,0000003F,00000000,?), ref: 0016BC36
_free.LIBCMT ref: 0016BD4B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 83363836ae33575c13f7e0d2770e49851ef38edacc699ceecfa4d06e2efa8786
Instruction ID: 866235a2d27ca162ae99d6ecd6ccbf534c6414e5ba013591972978265e234dea
Opcode Fuzzy Hash: 83363836ae33575c13f7e0d2770e49851ef38edacc699ceecfa4d06e2efa8786
Instruction Fuzzy Hash: 13C13971A08214AFCB24DF78DCC1BAE7BB9EF51350F14419AE894D7252E7308EA1CB90

Function 0019D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00133AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00133A97,?,?,00132E7F,?,?,?,00000000), ref: 00133AC2

Part of subcall function 0019E199: GetFileAttributesW.KERNEL32(?,0019CF95), ref: 0019E19A

FindFirstFileW.KERNEL32(?,?), ref: 0019D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0019D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0019D481
FindClose.KERNEL32(00000000), ref: 0019D498
FindClose.KERNEL32(00000000), ref: 0019D4A1

Strings

\*.*, xrefs: 0019D3F2

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 7e96b1497830142c191b4c92340ebf02b838692ca31062e56230fe4af2c7a168
Instruction ID: 34af4006d0474bf3ed4def871d662f8b7b194f63b2be4ed4d8cbbebfc469a3b4
Opcode Fuzzy Hash: 7e96b1497830142c191b4c92340ebf02b838692ca31062e56230fe4af2c7a168
Instruction Fuzzy Hash: EE3160710083459BC704EF64E8919AFBBE8BEA1314F444A1DF4D593191EB30EA09CBA3

Function 0016E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0016E645

Strings

1#QNAN, xrefs: 0016F84B
1#SNAN, xrefs: 0016F844
1#INF, xrefs: 0016F852
1#IND, xrefs: 0016F83D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 5786af92bf780d2739fa4478e3816096d07398a86d3e5ea31deadf0960fa097b
Instruction ID: 749bc19574cb35b996734fb5d9f88e2ff3780fa98464e3ad12997ca94203b951
Opcode Fuzzy Hash: 5786af92bf780d2739fa4478e3816096d07398a86d3e5ea31deadf0960fa097b
Instruction Fuzzy Hash: 16C24C75E046288FDB29CE28DD407EAB7F5EB44305F1542EAD84EE7240E774AE958F40

Function 001A648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001A64DC
CoInitialize.OLE32(00000000), ref: 001A6639
CoCreateInstance.OLE32(001CFCF8,00000000,00000001,001CFB68,?), ref: 001A6650
CoUninitialize.OLE32 ref: 001A68D4

Strings

.lnk, xrefs: 001A64BA, 001A6524, 001A65E0

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 725884ea93e829ea2eb817da354a4e067cdd5d80ec2c61673124bb671efb04e8
Instruction ID: 7d9e107c694baed1ccc3da51638e6f789b6c28c16f1bbf0c4212234574e8b7ae
Opcode Fuzzy Hash: 725884ea93e829ea2eb817da354a4e067cdd5d80ec2c61673124bb671efb04e8
Instruction Fuzzy Hash: F3D12775508201AFD314EF24C881A6BB7E9FFA9704F04496DF5958B2A1EB70ED09CB92

Function 001B22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001B22E8

Part of subcall function 001AE4EC: GetWindowRect.USER32(?,?), ref: 001AE504

GetDesktopWindow.USER32 ref: 001B2312
GetWindowRect.USER32(00000000), ref: 001B2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001B2355
GetCursorPos.USER32(?), ref: 001B2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001B23DF

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 64ee4f06ba2fb355ba4fc089c76217f5b1cfd0576cc0173f479de16434a15e4b
Instruction ID: 498d1b62e2f09224e2c506ceea3d9880b5dc09485ccf9f1f08d96820edef2dae
Opcode Fuzzy Hash: 64ee4f06ba2fb355ba4fc089c76217f5b1cfd0576cc0173f479de16434a15e4b
Instruction Fuzzy Hash: 8A31AF72504315ABDB20DF54C849F9BBBE9FF88314F000A19F989971A1DB34E949CBD2

Function 001A9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001A9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001A9C8B

Part of subcall function 001A3874: GetInputState.USER32 ref: 001A38CB
Part of subcall function 001A3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001A3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001A9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001A9C75

Strings

*.*, xrefs: 001A9B5D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 0c34c7c957af5ce87b83d1da06a492f70f42e0bbe7a51c3e5ca96a41ece063b0
Instruction ID: 51e687739ac420428bb561d0a904cd388942bebf3a256e1ec0c4a50e7e9aa089
Opcode Fuzzy Hash: 0c34c7c957af5ce87b83d1da06a492f70f42e0bbe7a51c3e5ca96a41ece063b0
Instruction Fuzzy Hash: 1E41817590460A9FCF15DFA4CC89EEEBBB8FF16310F248155E815A6191EB309E84CFA0

Function 0014997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00149A4E
GetSysColor.USER32(0000000F), ref: 00149B23
SetBkColor.GDI32(?,00000000), ref: 00149B36

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: cbe5836940fadbce98218a833d7278749b82b594f3633d8ae1b887cf38706a16
Instruction ID: 899e1ba681c136bc210010781a01dcc764ced17109e1eca5eb08d011a980d2b1
Opcode Fuzzy Hash: cbe5836940fadbce98218a833d7278749b82b594f3633d8ae1b887cf38706a16
Instruction Fuzzy Hash: DCA10770208544AFE729BA2C9C8DE7B3A9EDB52350B364219F502C7AF2CB25DE01C771

Function 001B1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001B307A
Part of subcall function 001B304E: _wcslen.LIBCMT ref: 001B309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001B185D
WSAGetLastError.WSOCK32 ref: 001B1884
bind.WSOCK32(00000000,?,00000010), ref: 001B18DB
WSAGetLastError.WSOCK32 ref: 001B18E6
closesocket.WSOCK32(00000000), ref: 001B1915

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0d14225f140152c2bfdb20cc920f1b9614c0c41797f847e920201c8f7d2e2e77
Instruction ID: 12b8d96297a153a36109587d23d0cada9752399d8c85760d45a9965bfa8b50da
Opcode Fuzzy Hash: 0d14225f140152c2bfdb20cc920f1b9614c0c41797f847e920201c8f7d2e2e77
Instruction Fuzzy Hash: 3B51B475A00200AFEB10AF24C896F6A77E5AB54718F49845CFA19AF3D3C771ED418BE1

Function 001C1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 001C1CC0
IsWindowEnabled.USER32 ref: 001C1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 001C1CDB
IsIconic.USER32 ref: 001C1CE9
IsZoomed.USER32 ref: 001C1CF7

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 89c777f46d1a82e661b8da37958524cae73c1cb53cc135b350f88f5bdaf30366
Instruction ID: 04f333c71b10d74c1789209775d11aa0db9a117d9b9a4680b0c855651f6d1e03
Opcode Fuzzy Hash: 89c777f46d1a82e661b8da37958524cae73c1cb53cc135b350f88f5bdaf30366
Instruction Fuzzy Hash: DA2183317802116FE7249F1AC894F6A7BA5EFA6325F19805CF84A8B752C771DC42CBD4

Function 00138060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0013813C
VUUU, xrefs: 001383E8
VUUU, xrefs: 00175DF0
VUUU, xrefs: 0013843C
VUUU, xrefs: 001383FA

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 5bc6cf3affef61e0bf31abee42c5fd0f8ebd860c16c5dde6364bd777261a4c79
Instruction ID: 42b597fc1ed8e343f3cf2175f2d13f85ab0f044917caa7620699345450ec5847
Opcode Fuzzy Hash: 5bc6cf3affef61e0bf31abee42c5fd0f8ebd860c16c5dde6364bd777261a4c79
Instruction Fuzzy Hash: CCA26171E0061ACBDF24CF58C8517BEB7B2BF54314F2581AAE819A7285DB749E81CF90

Function 0019AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0019AAAC
SetKeyboardState.USER32(00000080), ref: 0019AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0019AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0019AB88

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: cb1d67580de1aceb3f56cd038c312da8c9b189a3c5e4fb98ec9a7b178f037949
Instruction ID: aa8eb72e3452f34621081774742ef752358615eb250779691f13366d3ab92f3c
Opcode Fuzzy Hash: cb1d67580de1aceb3f56cd038c312da8c9b189a3c5e4fb98ec9a7b178f037949
Instruction Fuzzy Hash: D7311630A40258AFFF358B698C05BFA7BA6AF54310F84421AF586561D0D7749989C7E3

Function 001ACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001ACE89
GetLastError.KERNEL32(?,00000000), ref: 001ACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 001ACEFE

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c2afa5a33c8f71f34a61b71968467adab3bf6761c9815f79b94c26a2e4060247
Instruction ID: 47cdb1e173e51ea7e517397d5addeadd10400894de4ad5384b8a07be369b4502
Opcode Fuzzy Hash: c2afa5a33c8f71f34a61b71968467adab3bf6761c9815f79b94c26a2e4060247
Instruction Fuzzy Hash: FA219DB9900305AFEB30DF65D948BA67BF8EB51354F10442EE64692551E770EE48CBE0

Function 00198298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001982AA

Strings

|, xrefs: 001982DA
(, xrefs: 001982F0

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 8f942aaa2db65995d8f8382559958d953c328d58717cac214d78f16949e88937
Instruction ID: 85a6f356787cb2ceff14b7ffd475aa34e8c21e4a67d118f3e73bfec2fed3d715
Opcode Fuzzy Hash: 8f942aaa2db65995d8f8382559958d953c328d58717cac214d78f16949e88937
Instruction Fuzzy Hash: 66323475A00605DFCB28CF69C481A6AB7F0FF48710B15C56EE59ADB3A1EB70E981CB50

Function 001A5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001A5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 001A5D17
FindClose.KERNEL32(?), ref: 001A5D5F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 689fdbc3fb158eec0513bbb41cdad7f6fc8988de2daead75bec97b8101d80c6e
Instruction ID: b89c31bc64523ca2a03e92f1be5f9a1acca442413f67cfb242cd2b10d538fabe
Opcode Fuzzy Hash: 689fdbc3fb158eec0513bbb41cdad7f6fc8988de2daead75bec97b8101d80c6e
Instruction Fuzzy Hash: F7519A786086019FC714CF68C494E9AB7E5FF4A324F14855DE99A8B3A2CB30ED45CF91

Function 00162622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0016271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00162724
UnhandledExceptionFilter.KERNEL32(?), ref: 00162731

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d8cb8ddf631142185d1a01211618fffa7cd0b724e0040e29517f7f4a86dfa987
Instruction ID: 7efa533b65ebf586bcbd223a6e9021b8c4995ed22367476a51d2e14c92c90cf2
Opcode Fuzzy Hash: d8cb8ddf631142185d1a01211618fffa7cd0b724e0040e29517f7f4a86dfa987
Instruction Fuzzy Hash: B031B47591122C9BCB21DF64DD89B99BBB8BF18310F5041EAE81CA7261E7309F858F85

Function 001A51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001A51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001A5238
SetErrorMode.KERNEL32(00000000), ref: 001A52A1

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 092f6137a7930c6eeca1dcf37e9c68e595e0932c7210d32e03f3148e65242e84
Instruction ID: f2931d9cf96d8c41cf449726c9f60676e363c62ab52b863805b7f649cd6491f0
Opcode Fuzzy Hash: 092f6137a7930c6eeca1dcf37e9c68e595e0932c7210d32e03f3148e65242e84
Instruction Fuzzy Hash: 80312B75A04518DFDB00DF55D884EADBBB5FF49314F088099E809AB3A2DB31E855CB90

Function 001916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0014FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00150668
Part of subcall function 0014FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00150685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0019170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0019173A
GetLastError.KERNEL32 ref: 0019174A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 87061987d31c339b04c7712f108e9604925b854793adfcc5c7a1b20d5322b107
Instruction ID: 1bdbf729c46b6891f85a3f1cb39c059c846d839e7325fc51058b9e3b0de89667
Opcode Fuzzy Hash: 87061987d31c339b04c7712f108e9604925b854793adfcc5c7a1b20d5322b107
Instruction Fuzzy Hash: 3C1191B2804305BFE7189F94EC86D6BBBB9EF44714B24852EF05657651EB70FC828A60

Function 0019D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0019D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0019D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0019D650

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 2c0c7e18b29a096afcff70b77f54db356ab0df985944d3f0f353f18cf7b15110
Instruction ID: c2e02c741d2e101f1a027706c111a69ad3211cb0e9c4fd4441586cb80ba8d625
Opcode Fuzzy Hash: 2c0c7e18b29a096afcff70b77f54db356ab0df985944d3f0f353f18cf7b15110
Instruction Fuzzy Hash: 84113C75E05228BBDB108F95AC45FAFBFBCEB45B50F108115F908E7290D6704A058BA1

Function 00191663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0019168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001916A1
FreeSid.ADVAPI32(?), ref: 001916B1

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1ff7af78c69f6b5258de48204863ec3f0b314657609dc64e39bb367a4672350f
Instruction ID: ffc658b97fdc88fd53de633b35cfc82cbbbadc786a02cba3ca3a97c64fed547b
Opcode Fuzzy Hash: 1ff7af78c69f6b5258de48204863ec3f0b314657609dc64e39bb367a4672350f
Instruction Fuzzy Hash: 3FF0F475950309FBDF00DFE49C89EAEBBBCFB08604F504565E901E2181E774EA948A94

Function 0016C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0016C36C

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 701a006ab1d7aede9e3f18fe4e401a283c8c8ea0cc8dbafea675521cb6617c0d
Instruction ID: 7804c5d45996a7d135332fa57feedba03c2351f7f4c09b6289522a8d45d9aee8
Opcode Fuzzy Hash: 701a006ab1d7aede9e3f18fe4e401a283c8c8ea0cc8dbafea675521cb6617c0d
Instruction Fuzzy Hash: 03412376900219ABCB209FB9CC88EBB77B8EB84314F1042A9F945C7280E7309D818B90

Function 0018D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0018D28C

Strings

X64, xrefs: 0018D2A8

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 58170ff8fc8143d2a262a5539f7524d233dc2eeec5817bd3ca03c38d8eb45041
Instruction ID: c2084221b64e8601b44d645703db50269b110a2663c419d3606a9369c36ad1b5
Opcode Fuzzy Hash: 58170ff8fc8143d2a262a5539f7524d233dc2eeec5817bd3ca03c38d8eb45041
Instruction Fuzzy Hash: A8D0C9B480111DEACF94DB90EC88DDAB77CBB04305F100151F106A2040DB3096488F10

Function 0015CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 3454f2da9a412600e69017257f834f2be12ab4333928450b0260d78ff1166a4c
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 44021C71E00219DFDF14CFA9C8906ADBBF1EF58315F25816AD829EB380D731AA458BD4

Function 0013CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00180C40
p# , xrefs: 0013CF7F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#
API String ID: 0-1790810085
Opcode ID: fe0b4b35599c323d584447bae2413e4193e9ed0672e17be38889d752b6658621
Instruction ID: db9d7c5d73e9f9970eeba986d677de588f63eb6e38e6c99bb6dfa8a159629226
Opcode Fuzzy Hash: fe0b4b35599c323d584447bae2413e4193e9ed0672e17be38889d752b6658621
Instruction Fuzzy Hash: E0328E74900218DFDF19EF94C885AEDB7B9BF19304F148069E806BB292D775AE49CF90

Function 001A68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001A6918
FindClose.KERNEL32(00000000), ref: 001A6961

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45aa98e3ce4d1b05f2d4bc4db86d520997a59fbcefc215acc80a3380240ead41
Instruction ID: fd99662ea2753890bd046add280bf74ddbc046a9801aa1787bb4e474fabaf2d5
Opcode Fuzzy Hash: 45aa98e3ce4d1b05f2d4bc4db86d520997a59fbcefc215acc80a3380240ead41
Instruction Fuzzy Hash: 1B1190756042009FD714DF29D488A16BBE5FF89328F18C699E4698F6A2CB30EC45CBD1

Function 001A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001B4891,?,?,00000035,?), ref: 001A37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001B4891,?,?,00000035,?), ref: 001A37F4

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a03f13eac915bc96626e418cfef9c3e0e6d33acfd2eae2a1733bbf2aba0364a0
Instruction ID: 63fdc2b91944ebb9216749a18767a74f5d976c73b0c2f1f359f4ac49417c7c38
Opcode Fuzzy Hash: a03f13eac915bc96626e418cfef9c3e0e6d33acfd2eae2a1733bbf2aba0364a0
Instruction Fuzzy Hash: 27F0E5B56043282AE72057A69C4DFEB3AAEEFC5B61F100165F509D2281DAA09D44C6F0

Function 0019B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0019B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0019B270

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: a9a45a21b6c3ea12530bef23612d975f7a4541250a34358ae7e4c9500e1b097d
Instruction ID: 592b96ffec6d7e9ebcdab8e6ddd43b6edac8a06f867a7a4f9bad0921b2341c76
Opcode Fuzzy Hash: a9a45a21b6c3ea12530bef23612d975f7a4541250a34358ae7e4c9500e1b097d
Instruction Fuzzy Hash: 28F01D7190428EABDF059FA0D845BAE7FB4FF04305F00801AF955A5191C379D6519F94

Function 001910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001911FC), ref: 001910D4
CloseHandle.KERNEL32(?,?,001911FC), ref: 001910E9

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 413e2ed0a40315fe9515786ebe1fa2a916a52d1058369cd89726a43f1bb71d73
Instruction ID: 777be9c229d553c96a39a75cb65e3f7771f64a7e9bbd8a47997747d68b026d85
Opcode Fuzzy Hash: 413e2ed0a40315fe9515786ebe1fa2a916a52d1058369cd89726a43f1bb71d73
Instruction Fuzzy Hash: 28E04F32004600AEE7252B51FC05E737BA9FB04310B14882DF4A6808B1DB62ACE1DB50

Function 0016676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00166766,?,?,00000008,?,?,0016FEFE,00000000), ref: 00166998

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 24dc9e26473862c5a325059347eb4b9a4a249eaa6bd708140e2424242ea8ef6e
Instruction ID: f77060e2cfd256005d7e9498b3146f014225a27eb1eff474e6067c9d52cbfe6f
Opcode Fuzzy Hash: 24dc9e26473862c5a325059347eb4b9a4a249eaa6bd708140e2424242ea8ef6e
Instruction Fuzzy Hash: 9BB12C31610609DFD719CF28C88AB657BE0FF45368F258658E8D9CF2A2C735E9A1CB40

Function 0014B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0018851F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 34f2350ce4a8cd225a77683d6cd8cdce30b18453766c7e80c884cf4b78a3e560
Instruction ID: 51e5da50c3d863bc7f7e3b067f3528639ff3c9fa3db2fa2947e6aabebdecbe5e
Opcode Fuzzy Hash: 34f2350ce4a8cd225a77683d6cd8cdce30b18453766c7e80c884cf4b78a3e560
Instruction Fuzzy Hash: C2126E719042299BCB24DF58C880AEEB7F5FF48710F55819AE849EB255EB30DE81CF90

Function 001AEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001AEABD

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e3672aafe7769141b39be8ba8e86519de0edab822632b1b79548c4ce800406f3
Instruction ID: 90a5297ed9b4488905a796edc8f649f0a9989ec9231330e82892a7879279859c
Opcode Fuzzy Hash: e3672aafe7769141b39be8ba8e86519de0edab822632b1b79548c4ce800406f3
Instruction Fuzzy Hash: 7AE01A362002149FD710EF59D844E9ABBE9AFA9760F00841AFD49DB351DB70EC408B90

Function 001509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001503EE), ref: 001509DA

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 782825861fe86530939592735f26fc9f685aefd33ec5fb2e2b3c715445809fbd
Instruction ID: 67764a0da0aeadd045a627d48aac6e817384dc7d3714c6a129a3c58af40d87ad
Opcode Fuzzy Hash: 782825861fe86530939592735f26fc9f685aefd33ec5fb2e2b3c715445809fbd
Instruction Fuzzy Hash:

Function 0015781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0015798B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: dc40ee5373be1ef6e33f769c1769b30b0801ee3147439e1fce34bd45005b73f5
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 7651556160C705DBDB388568A85FBBE638A9B22357F180509DCB6DF2C2C715EE0DD362

Function 001A2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0& , xrefs: 001A2053

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID: 0&
API String ID: 0-597335918
Opcode ID: d8250522ee6bb091791976f49a28ad95db2e0efd0840f59e73f73b75e27cc16d
Instruction ID: 5b6694356ff764eba52ee1d0f2cdd2cb5e82bcfd0f6146b6e905098b51b6a777
Opcode Fuzzy Hash: d8250522ee6bb091791976f49a28ad95db2e0efd0840f59e73f73b75e27cc16d
Instruction Fuzzy Hash: 3721BB326206118BD728CF79C91767E73E5A754310F15862EE4A7C77D1DE7AA904C740

Function 00166DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad482b3846087bd84d9f2120b4f469f38d2cc39e5bdf2195ec9a6b5490770b38
Instruction ID: d8c2b6aaabc61d0a734e1061351bf45b9a68ef2ca59f59579e431ab55eca204a
Opcode Fuzzy Hash: ad482b3846087bd84d9f2120b4f469f38d2cc39e5bdf2195ec9a6b5490770b38
Instruction Fuzzy Hash: DC32F222D2AF414DD7239634DC22335A749AFB73D9F15D727E82AB5DA9EB29C4C34100

Function 0014CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0bf42ed0e606f4565b18608ca7f288c1ad94fe5d2ab41bd7e34636a173b0352
Instruction ID: 481caa2acee58a8012b0d0b8e7befb28aed7e6c6ebb4695fc54de3f5f4839f07
Opcode Fuzzy Hash: a0bf42ed0e606f4565b18608ca7f288c1ad94fe5d2ab41bd7e34636a173b0352
Instruction Fuzzy Hash: E2322531A001158BCF28EF69C4D46BD7BA1EB45310F29856AD55ADB6A1E330DF81DFE0

Function 00137920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6527b133eb881d5c139b7e9ae2a6b00df38b40b1ba4d6f161f83ae129cc5c7c
Instruction ID: 6d75ea99ae150103b1b0b7a4002b7f7bc1447d356d56e51022af2a320e3e7f84
Opcode Fuzzy Hash: a6527b133eb881d5c139b7e9ae2a6b00df38b40b1ba4d6f161f83ae129cc5c7c
Instruction Fuzzy Hash: 2022C4B0A0460ADFDF14CFA4C881AAEF7F6FF54300F248529E816A7291EB75AD55CB50

Function 001391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212d7b280bc00933082b9300a6371238291ff13504351af22fa9ed66e2b71434
Instruction ID: d74a80c770b586488f42697d5450f0d481fa9c4b9fc17cf5502572ac6c03748e
Opcode Fuzzy Hash: 212d7b280bc00933082b9300a6371238291ff13504351af22fa9ed66e2b71434
Instruction Fuzzy Hash: DD02A6B0E00105EFDB05DF64D881AAEBBF5FF58300F118169E81A9B391EB71AA55CB91

Function 00169EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5182af0916ea336a0413d8e60ba1ba08320608d34099eabdc1b9d01516a85120
Instruction ID: 9d3730f9f9ae0be8a845fb3b2b1eb0a3f63a6ac70bc6d0dc48f9a39a39e43b66
Opcode Fuzzy Hash: 5182af0916ea336a0413d8e60ba1ba08320608d34099eabdc1b9d01516a85120
Instruction Fuzzy Hash: 4AB1CC30E2AF415DC22396398961336B75CBFBB6D5B92D71BFC2674D22EB2286C34141

Function 00151C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: e0b3972a907c16350bfde6cc1a81b7b7436e448a6bd0acf96ce42bd3af5407d8
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 289165321080A399DB2F4679857967DFEE19A523A371A079DDCF2CE1C1EF10895CD620

Function 001519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d8965938b12efe1ee75a883782e4e0464d42144b4fb861d123abf1cff6c95c48
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 03912E722090E29ADB2F427A857427DFEF15A922A771A0799D8F2CF1C1FB24855CD620

Function 00157A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb25d01e0c1f9fcedadb704c37127d13856ef9ad8d7cc1d0e3d8a591c59adc74
Instruction ID: fde25f98093e94c1f93404aa6ca918a99844f40a93b13c4a34f42c745093b443
Opcode Fuzzy Hash: eb25d01e0c1f9fcedadb704c37127d13856ef9ad8d7cc1d0e3d8a591c59adc74
Instruction Fuzzy Hash: C061487160870AD7EA38A928B897BBE2394DF51703F180919EC73DF2C1DB519E4E8355

Function 00157CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85cc4445c11f9f59aa3da4df0450c2e988b964e63d943ffdbff0f510d7d8ea5a
Instruction ID: 76943e92e7b5fa17a6651759c578599860288c0c0415f2234537341b3613a4aa
Opcode Fuzzy Hash: 85cc4445c11f9f59aa3da4df0450c2e988b964e63d943ffdbff0f510d7d8ea5a
Instruction Fuzzy Hash: E3618B71208709D6DE395AA8B857BBE23A8EF52743F100959EC73DF2C1EB129D4E8251

Function 00151706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: c1f6e035cf6420571117fe7f97e0cbee65b000545c89c5099c1ea9988376a64d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 3C8141735080A29ADB2E423D853467EFFE15A923A771A079DD8F2CE1C1EF24995CD620

Function 001B2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001B2B30
DeleteObject.GDI32(00000000), ref: 001B2B43
DestroyWindow.USER32 ref: 001B2B52
GetDesktopWindow.USER32 ref: 001B2B6D
GetWindowRect.USER32(00000000), ref: 001B2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001B2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001B2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2CF8
GetClientRect.USER32(00000000,?), ref: 001B2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001B2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2D80
GlobalLock.KERNEL32(00000000), ref: 001B2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2D98
GlobalUnlock.KERNEL32(00000000), ref: 001B2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2DA8
GlobalFree.KERNEL32(00000000), ref: 001B2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,001CFC38,00000000), ref: 001B2DDB
GlobalFree.KERNEL32(00000000), ref: 001B2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001B2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001B2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B303F

Strings

, xrefs: 001B2FC5
AutoIt v3, xrefs: 001B2CF2
DISPLAY, xrefs: 001B2EA2
static, xrefs: 001B2D3A, 001B2E91

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: f20f2ccadb9ef7ad29f4481a2b81d8e9e20f25ed1fda9e307ab49024ff8cba96
Instruction ID: a5565f97226c529dae6f519c53b3ec935dea5837f22b1114a870c4351e98c49e
Opcode Fuzzy Hash: f20f2ccadb9ef7ad29f4481a2b81d8e9e20f25ed1fda9e307ab49024ff8cba96
Instruction Fuzzy Hash: D6028B71900219EFDB14DF64DD89EAE7BB9EF48310F048158F919AB2A1DB70ED45CBA0

Function 001C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 001C712F
GetSysColorBrush.USER32(0000000F), ref: 001C7160
GetSysColor.USER32(0000000F), ref: 001C716C
SetBkColor.GDI32(?,000000FF), ref: 001C7186
SelectObject.GDI32(?,?), ref: 001C7195
InflateRect.USER32(?,000000FF,000000FF), ref: 001C71C0
GetSysColor.USER32(00000010), ref: 001C71C8
CreateSolidBrush.GDI32(00000000), ref: 001C71CF
FrameRect.USER32(?,?,00000000), ref: 001C71DE
DeleteObject.GDI32(00000000), ref: 001C71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 001C7230
FillRect.USER32(?,?,?), ref: 001C7262
GetWindowLongW.USER32(?,000000F0), ref: 001C7284

Part of subcall function 001C73E8: GetSysColor.USER32(00000012), ref: 001C7421
Part of subcall function 001C73E8: SetTextColor.GDI32(?,?), ref: 001C7425
Part of subcall function 001C73E8: GetSysColorBrush.USER32(0000000F), ref: 001C743B
Part of subcall function 001C73E8: GetSysColor.USER32(0000000F), ref: 001C7446
Part of subcall function 001C73E8: GetSysColor.USER32(00000011), ref: 001C7463
Part of subcall function 001C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001C7471
Part of subcall function 001C73E8: SelectObject.GDI32(?,00000000), ref: 001C7482
Part of subcall function 001C73E8: SetBkColor.GDI32(?,00000000), ref: 001C748B
Part of subcall function 001C73E8: SelectObject.GDI32(?,?), ref: 001C7498
Part of subcall function 001C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001C74B7
Part of subcall function 001C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001C74CE
Part of subcall function 001C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001C74DB

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: ab28ae0f5d30255130860eb68a73fdda745497c31cc3e908f96def1a923024a6
Instruction ID: 457184c21bdc95adb0f81b474649f3dea3f548d1794ae1d9286e191eaa91286c
Opcode Fuzzy Hash: ab28ae0f5d30255130860eb68a73fdda745497c31cc3e908f96def1a923024a6
Instruction Fuzzy Hash: B5A18D72508301EFDB009F60DC48E6BBBA9FB89320F140A19F966965E1D771ED85CF91

Function 00148D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00148E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00186AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00186AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00186F43

Part of subcall function 00148F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00148BE8,?,00000000,?,?,?,?,00148BBA,00000000,?), ref: 00148FC5

SendMessageW.USER32(?,00001053), ref: 00186F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00186F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00186FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00186FB7

Strings

0, xrefs: 00186DCF

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 878d296244b47dcb75e6f05db71e2353a23f857adec2f7d97436ba36fec9d119
Instruction ID: 2968797acf58dc70f355fe23e3c8ce1384a15e07815f9ef3fc282cd369073263
Opcode Fuzzy Hash: 878d296244b47dcb75e6f05db71e2353a23f857adec2f7d97436ba36fec9d119
Instruction Fuzzy Hash: D912BF30600211DFD725EF14D898BAABBE5FB44300F144569F589DB662CB31EDA1DF91

Function 001B2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001B273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001B286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001B28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001B28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001B2900
GetClientRect.USER32(00000000,?), ref: 001B290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001B2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001B2964
GetStockObject.GDI32(00000011), ref: 001B2974
SelectObject.GDI32(00000000,00000000), ref: 001B2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001B2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001B2991
DeleteDC.GDI32(00000000), ref: 001B299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001B29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001B29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001B2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001B2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 001B2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001B2A77
GetStockObject.GDI32(00000011), ref: 001B2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001B2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001B2A97

Strings

AutoIt v3, xrefs: 001B28F8
DISPLAY, xrefs: 001B295A
static, xrefs: 001B294F, 001B2A71
msctls_progress32, xrefs: 001B2A13

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 638f5cc4c9da4aeec703f6a60937e52d83cc604328a9706a394c2366737c788c
Instruction ID: aa37f7b9d9c7f208816f47feb5f7f4b71b602328b3c5859a38d5ea4ac2af8c59
Opcode Fuzzy Hash: 638f5cc4c9da4aeec703f6a60937e52d83cc604328a9706a394c2366737c788c
Instruction Fuzzy Hash: 2FB15DB1A00219AFEB24DFA8DC89FAE7BA9EF18710F004154F915E7691D774ED40CBA4

Function 001A4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001A4AED
GetDriveTypeW.KERNEL32(?,001CCB68,?,\\.\,001CCC08), ref: 001A4BCA
SetErrorMode.KERNEL32(00000000,001CCB68,?,\\.\,001CCC08), ref: 001A4D36

Strings

iSCSI, xrefs: 001A4CC2
CDROM, xrefs: 001A4BFB
USB, xrefs: 001A4CB4
MMC, xrefs: 001A4CDE
Fibre, xrefs: 001A4CAD
SAS, xrefs: 001A4CC9
Network, xrefs: 001A4C02
Removable, xrefs: 001A4C10, 001A4C15
SATA, xrefs: 001A4CD0
Fixed, xrefs: 001A4C09
1394, xrefs: 001A4C9F
SSA, xrefs: 001A4CA6
FileBackedVirtual, xrefs: 001A4CEC
Virtual, xrefs: 001A4CE5
PhysicalDrive, xrefs: 001A4B76
RAID, xrefs: 001A4CBB
RAMDisk, xrefs: 001A4BF4
SCSI, xrefs: 001A4C8A
\\.\, xrefs: 001A4B3F
SSD, xrefs: 001A4C4A
ATAPI, xrefs: 001A4C91
Unknown, xrefs: 001A4BED, 001A4C83
ATA, xrefs: 001A4C98

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d97de140bfa1db558ab8c56065d8049a3b530237902f1242bb7603822abdfdeb
Instruction ID: 6f3b3fc938d4b7cb6c1c8787008dfbb2327a46507002e6335af009c5781302a0
Opcode Fuzzy Hash: d97de140bfa1db558ab8c56065d8049a3b530237902f1242bb7603822abdfdeb
Instruction Fuzzy Hash: 10610438705209EBCB08DF68CA82D7C77B0AF96360B248015F94EAB695DBB1ED41DB51

Function 001C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 001C7421
SetTextColor.GDI32(?,?), ref: 001C7425
GetSysColorBrush.USER32(0000000F), ref: 001C743B
GetSysColor.USER32(0000000F), ref: 001C7446
CreateSolidBrush.GDI32(?), ref: 001C744B
GetSysColor.USER32(00000011), ref: 001C7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 001C7471
SelectObject.GDI32(?,00000000), ref: 001C7482
SetBkColor.GDI32(?,00000000), ref: 001C748B
SelectObject.GDI32(?,?), ref: 001C7498
InflateRect.USER32(?,000000FF,000000FF), ref: 001C74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001C74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001C74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001C752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001C7554
InflateRect.USER32(?,000000FD,000000FD), ref: 001C7572
DrawFocusRect.USER32(?,?), ref: 001C757D
GetSysColor.USER32(00000011), ref: 001C758E
SetTextColor.GDI32(?,00000000), ref: 001C7596
DrawTextW.USER32(?,001C70F5,000000FF,?,00000000), ref: 001C75A8
SelectObject.GDI32(?,?), ref: 001C75BF
DeleteObject.GDI32(?), ref: 001C75CA
SelectObject.GDI32(?,?), ref: 001C75D0
DeleteObject.GDI32(?), ref: 001C75D5
SetTextColor.GDI32(?,?), ref: 001C75DB
SetBkColor.GDI32(?,?), ref: 001C75E5

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: dd98a1c1dd8a954e50308d86dd993395e35495ea8b0dbf94da9bced6d856b9f8
Instruction ID: 77e26f5e1fead3ff870a70cdf757160a13b5e987c1cb52d16e7cc5704091a304
Opcode Fuzzy Hash: dd98a1c1dd8a954e50308d86dd993395e35495ea8b0dbf94da9bced6d856b9f8
Instruction Fuzzy Hash: 84613972904218AFDB059FA4DC49EEEBFB9EB08320F154115F919AB2A1D7B5DD80CF90

Function 001C0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001C1128
GetDesktopWindow.USER32 ref: 001C113D
GetWindowRect.USER32(00000000), ref: 001C1144
GetWindowLongW.USER32(?,000000F0), ref: 001C1199
DestroyWindow.USER32(?), ref: 001C11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001C11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001C120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001C121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 001C1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001C1245
IsWindowVisible.USER32(00000000), ref: 001C12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001C12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001C12D0
GetWindowRect.USER32(00000000,?), ref: 001C12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 001C130E
GetMonitorInfoW.USER32(00000000,?), ref: 001C1328
CopyRect.USER32(?,?), ref: 001C133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001C13AA

Strings

(, xrefs: 001C131B
tooltips_class32, xrefs: 001C11E6
0, xrefs: 001C10D3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b63355ce527bf4df2b287ee318fe114235b58bf5f19892f9d964984186c4d5c6
Instruction ID: 479987d2e7853237a5ea955bacae3ec8bcef3f2fa9b6bf7033359771a68ffa60
Opcode Fuzzy Hash: b63355ce527bf4df2b287ee318fe114235b58bf5f19892f9d964984186c4d5c6
Instruction Fuzzy Hash: EAB17871608341AFD704DF64C984F6ABBE4FF99354F00891CF9999B2A2C771E844CB92

Function 001C0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001C02E5
_wcslen.LIBCMT ref: 001C031F
_wcslen.LIBCMT ref: 001C0389
_wcslen.LIBCMT ref: 001C03F1
_wcslen.LIBCMT ref: 001C0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001C04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001C0504

Part of subcall function 0014F9F2: _wcslen.LIBCMT ref: 0014F9FD

Part of subcall function 0019223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00192258
Part of subcall function 0019223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0019228A

Strings

GETITEMCOUNT, xrefs: 001C0316, 001C0337
GETSELECTED, xrefs: 001C05E1
GETSUBITEMCOUNT, xrefs: 001C0384, 001C039F
FINDITEM, xrefs: 001C0627
GETSELECTEDCOUNT, xrefs: 001C0470, 001C048B
SELECTINVERT, xrefs: 001C057E
ISSELECTED, xrefs: 001C04DD
SELECTALL, xrefs: 001C0515
SELECT, xrefs: 001C0548
VIEWCHANGE, xrefs: 001C0675
GETTEXT, xrefs: 001C03EC, 001C0407
DESELECT, xrefs: 001C059C
SELECTCLEAR, xrefs: 001C052D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 839ba783c00327c6b2519848259c52773f8328c6c18b4190226dda1ffc0a818c
Instruction ID: 4f19b2e81f4eab4207a766fdb37ace6ee90200ae5c44bd835ebb6d145535c72e
Opcode Fuzzy Hash: 839ba783c00327c6b2519848259c52773f8328c6c18b4190226dda1ffc0a818c
Instruction Fuzzy Hash: CFE19D31208241DFCB19DF24C591E2AB3E6BFA8718F15495CF896AB3A1DB30ED45CB81

Function 00148891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00148968
GetSystemMetrics.USER32(00000007), ref: 00148970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0014899B
GetSystemMetrics.USER32(00000008), ref: 001489A3
GetSystemMetrics.USER32(00000004), ref: 001489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00148A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00148A3C
GetClientRect.USER32(00000000,000000FF), ref: 00148A5A
GetStockObject.GDI32(00000011), ref: 00148A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00148A81

Part of subcall function 0014912D: GetCursorPos.USER32(?), ref: 00149141
Part of subcall function 0014912D: ScreenToClient.USER32(00000000,?), ref: 0014915E
Part of subcall function 0014912D: GetAsyncKeyState.USER32(00000001), ref: 00149183
Part of subcall function 0014912D: GetAsyncKeyState.USER32(00000002), ref: 0014919D

SetTimer.USER32(00000000,00000000,00000028,001490FC), ref: 00148AA8

Strings

AutoIt v3 GUI, xrefs: 00148A20

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: be2eebc7c03da18bd05612db3ad6ee79c75250b3cc61048f5d47526fccf1ca53
Instruction ID: 2f56baa93437ac4295df34061e5d2e940d1b1d76628e54921abdc4da96e02548
Opcode Fuzzy Hash: be2eebc7c03da18bd05612db3ad6ee79c75250b3cc61048f5d47526fccf1ca53
Instruction Fuzzy Hash: 03B17C71A0020A9FDB14DFA8DC49FAE7BB5FB48314F114229FA15A72A0DB70E951CF91

Function 00190D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00191114
Part of subcall function 001910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 00191120
Part of subcall function 001910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 0019112F
Part of subcall function 001910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 00191136
Part of subcall function 001910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0019114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00190DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00190E29
GetLengthSid.ADVAPI32(?), ref: 00190E40
GetAce.ADVAPI32(?,00000000,?), ref: 00190E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00190E96
GetLengthSid.ADVAPI32(?), ref: 00190EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00190EB5
HeapAlloc.KERNEL32(00000000), ref: 00190EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00190EDD
CopySid.ADVAPI32(00000000), ref: 00190EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00190F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00190F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00190F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00190F6E
HeapFree.KERNEL32(00000000), ref: 00190F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00190F7E
HeapFree.KERNEL32(00000000), ref: 00190F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00190F8E
HeapFree.KERNEL32(00000000), ref: 00190F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00190FA1
HeapFree.KERNEL32(00000000), ref: 00190FA8

Part of subcall function 00191193: GetProcessHeap.KERNEL32(00000008,00190BB1,?,00000000,?,00190BB1,?), ref: 001911A1
Part of subcall function 00191193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00190BB1,?), ref: 001911A8
Part of subcall function 00191193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00190BB1,?), ref: 001911B7

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 539f894a6fabd56c27fbd353e9200d948f40ac0bcd1a16def8fb3319053bc3ed
Instruction ID: 34ac083c1853df3a559d4d61f67ed3031dbef55e40fadf515f50ff0202a3e27c
Opcode Fuzzy Hash: 539f894a6fabd56c27fbd353e9200d948f40ac0bcd1a16def8fb3319053bc3ed
Instruction Fuzzy Hash: 0C71357290020AEFDF219FA5DC48FAEBBB8FF08300F148115F919A6291D7319E55CBA0

Function 001BC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,001CCC08,00000000,?,00000000,?,?), ref: 001BC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001BC5A4
_wcslen.LIBCMT ref: 001BC5F4
_wcslen.LIBCMT ref: 001BC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001BC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001BC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001BC84D
RegCloseKey.ADVAPI32(?), ref: 001BC881
RegCloseKey.ADVAPI32(00000000), ref: 001BC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001BC960

Strings

REG_BINARY, xrefs: 001BC913
REG_SZ, xrefs: 001BC644
REG_MULTI_SZ, xrefs: 001BC6F5
REG_EXPAND_SZ, xrefs: 001BC5CD
REG_DWORD, xrefs: 001BC804
REG_QWORD, xrefs: 001BC8C3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: b0040c7fd068d8507179557c68b9c326c423099f2ef2de10188dd77bd5a1f758
Instruction ID: 4e67e316d1d573e25b303891c2ec4eaac9ff19ca0567b9f2fff9025511c9f218
Opcode Fuzzy Hash: b0040c7fd068d8507179557c68b9c326c423099f2ef2de10188dd77bd5a1f758
Instruction Fuzzy Hash: 731259756042019FDB24DF14C881E6ABBE5FF88714F04889DF89A9B3A2DB31ED41CB81

Function 001C091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001C09C6
_wcslen.LIBCMT ref: 001C0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001C0A54
_wcslen.LIBCMT ref: 001C0A8A
_wcslen.LIBCMT ref: 001C0B06
_wcslen.LIBCMT ref: 001C0B81

Part of subcall function 0014F9F2: _wcslen.LIBCMT ref: 0014F9FD

Part of subcall function 00192BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00192BFA

Strings

EXPAND, xrefs: 001C0BF8
GETITEMCOUNT, xrefs: 001C0C1E
GETSELECTED, xrefs: 001C0C4E
CHECK, xrefs: 001C0A85, 001C0AA0
UNCHECK, xrefs: 001C0D3E
SELECT, xrefs: 001C0D11
ISCHECKED, xrefs: 001C0CE1
GETTOTALCOUNT, xrefs: 001C09F2, 001C0A17
GETTEXT, xrefs: 001C0C97
COLLAPSE, xrefs: 001C0B01, 001C0B1C
EXISTS, xrefs: 001C0B7C, 001C0B97

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 9ecaf7275a77ffa407fe7f486484079b124e3c896eb16880fc19566fa437821b
Instruction ID: 60f25ae3801123ecd2a9d518105ea4e067d92497e20edffef83267901baf61d6
Opcode Fuzzy Hash: 9ecaf7275a77ffa407fe7f486484079b124e3c896eb16880fc19566fa437821b
Instruction Fuzzy Hash: 9EE17B75208301DFCB19DF64C451A2AB7E1BFA8318F15895CF89AAB3A2D731ED45CB81

Function 001BC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BB6AE,?,?), ref: 001BC9B5
_wcslen.LIBCMT ref: 001BC9F1
_wcslen.LIBCMT ref: 001BCA68
_wcslen.LIBCMT ref: 001BCA9E
_wcslen.LIBCMT ref: 001BCAF9
_wcslen.LIBCMT ref: 001BCB2F
_wcslen.LIBCMT ref: 001BCB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 001BCAF3, 001BCAF8
HKLM, xrefs: 001BCA98, 001BCA9D
HKCU, xrefs: 001BCBCE
HKEY_USERS, xrefs: 001BCBDF
HKCC, xrefs: 001BCBAC
HKEY_CURRENT_CONFIG, xrefs: 001BCB79, 001BCB7E
HKCR, xrefs: 001BCB29, 001BCB2E
HKU, xrefs: 001BCBF0
HKEY_CURRENT_USER, xrefs: 001BCBBD
HKEY_LOCAL_MACHINE, xrefs: 001BCA62, 001BCA67

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 3d1a36e9b7ec18c82e41e1933973352253cd2c1d52ea715b5f336bb621f38c86
Instruction ID: 1c8f9e530842ce2172a6f8c893bca84380cfb1936a4a44778dc8e8d924ca8984
Opcode Fuzzy Hash: 3d1a36e9b7ec18c82e41e1933973352253cd2c1d52ea715b5f336bb621f38c86
Instruction Fuzzy Hash: 8C71B23261012A8BCB20DE7DCA515FF3791ABB5794B250528FC66AB295FB31CD85C3E0

Function 001C833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001C835A
_wcslen.LIBCMT ref: 001C836E
_wcslen.LIBCMT ref: 001C8391
_wcslen.LIBCMT ref: 001C83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001C83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,001C5BF2), ref: 001C844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001C8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001C84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001C8501
FreeLibrary.KERNEL32(?), ref: 001C850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001C851D
DestroyIcon.USER32(?,?,?,?,?,001C5BF2), ref: 001C852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001C8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001C8555

Strings

.dll, xrefs: 001C83AB
.exe, xrefs: 001C8388
.icl, xrefs: 001C8368

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 678910d8855d58f5ce44e8f0a3a3819b03a114b94a186e28281b90516af01309
Instruction ID: 3f28576214593be01e9146bb8804c17856b3e4438a32713a14e6dd61950fd5da
Opcode Fuzzy Hash: 678910d8855d58f5ce44e8f0a3a3819b03a114b94a186e28281b90516af01309
Instruction Fuzzy Hash: 9361BF71540219FAEB18DF64CC82FBE7BA8BB28711F10450AF915DA1D1DBB4E980CBA0

Function 00137778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 00137873, 001378C5
', xrefs: 00175169
Bad directive syntax error, xrefs: 0017519A
#requireadmin, xrefs: 001377FF
", xrefs: 00175153
#include, xrefs: 00137847
Cannot parse #include, xrefs: 00175279
#pragma compile, xrefs: 001377D3
#notrayicon, xrefs: 001377E7
#comments-end, xrefs: 001378D9
Unterminated group of comments, xrefs: 0017528C
#ce, xrefs: 001378ED
#OnAutoItStartRegister, xrefs: 00137817
#include-once, xrefs: 0013782F
#comments-start, xrefs: 0013785F, 001378B1

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 1ea8239907d43699e2457aebe0f4f2d1f4891a5dca6ae17e2f792e1e95fb1c53
Instruction ID: d657320bd6216c688ce5affa47faf261c17a8d4f064740dbeaed4ee75287a0d5
Opcode Fuzzy Hash: 1ea8239907d43699e2457aebe0f4f2d1f4891a5dca6ae17e2f792e1e95fb1c53
Instruction Fuzzy Hash: 5081D8B1604605FBEB24AF60DC47FAE77B5AF25300F054028F909BA2D6EBB0D916C791

Function 001A3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 001A3EF8
_wcslen.LIBCMT ref: 001A3F03
_wcslen.LIBCMT ref: 001A3F5A
_wcslen.LIBCMT ref: 001A3F98
GetDriveTypeW.KERNEL32(?), ref: 001A3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001A401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001A4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001A4087

Strings

open, xrefs: 001A3F54, 001A3F59
wait, xrefs: 001A4044
type cdaudio alias cd wait, xrefs: 001A4001
closed, xrefs: 001A3F08, 001A3F2D, 001A3F46, 001A3F7E, 001A3F97
open , xrefs: 001A3FE5
close, xrefs: 001A3EFE, 001A3F18
set cd door , xrefs: 001A4028
close cd wait, xrefs: 001A4072

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 5dc03461b71e570097012057c5ddbe95798c9fe008180572a5d531355ccd8c21
Instruction ID: 485c35679b7d93278c54b0143373c77489d466e860dc15aaab62fa15fe151779
Opcode Fuzzy Hash: 5dc03461b71e570097012057c5ddbe95798c9fe008180572a5d531355ccd8c21
Instruction Fuzzy Hash: C571F1366043059FC710EF24C8819BAB7F4EFA5758F10492DF9A697291EB30ED49CB92

Function 00195A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00195A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00195A40
SetWindowTextW.USER32(?,?), ref: 00195A57
GetDlgItem.USER32(?,000003EA), ref: 00195A6C
SetWindowTextW.USER32(00000000,?), ref: 00195A72
GetDlgItem.USER32(?,000003E9), ref: 00195A82
SetWindowTextW.USER32(00000000,?), ref: 00195A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00195AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00195AC3
GetWindowRect.USER32(?,?), ref: 00195ACC
_wcslen.LIBCMT ref: 00195B33
SetWindowTextW.USER32(?,?), ref: 00195B6F
GetDesktopWindow.USER32 ref: 00195B75
GetWindowRect.USER32(00000000), ref: 00195B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00195BD3
GetClientRect.USER32(?,?), ref: 00195BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00195C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00195C2F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: c5b8a6720808d53de6f683ae98eeb082d33ebbac608444a7360793b1ac2f2738
Instruction ID: 2e8aa25eaf1a4f1f1d2e361096402a2bea8a90d61796fbf8caaa6a0d289ac23f
Opcode Fuzzy Hash: c5b8a6720808d53de6f683ae98eeb082d33ebbac608444a7360793b1ac2f2738
Instruction Fuzzy Hash: AE714931900B09AFDB21DFA8CE85EAEBBF6FB48705F104518E586A26A0D775ED44CB50

Function 001AFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 001AFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 001AFE32
LoadCursorW.USER32(00000000,00007F00), ref: 001AFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 001AFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 001AFE53
LoadCursorW.USER32(00000000,00007F01), ref: 001AFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 001AFE69
LoadCursorW.USER32(00000000,00007F88), ref: 001AFE74
LoadCursorW.USER32(00000000,00007F80), ref: 001AFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 001AFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 001AFE95
LoadCursorW.USER32(00000000,00007F85), ref: 001AFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 001AFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 001AFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 001AFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 001AFECC
GetCursorInfo.USER32(?), ref: 001AFEDC
GetLastError.KERNEL32 ref: 001AFF1E

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d8032214d4e273394fb36818280f2a0b4d4693fc88f182c82631ba234f5fc9c8
Instruction ID: 986ab877f7855131c80e13d96f01fd05c91ffe60bb42f0fce714033b8055f9c6
Opcode Fuzzy Hash: d8032214d4e273394fb36818280f2a0b4d4693fc88f182c82631ba234f5fc9c8
Instruction Fuzzy Hash: FB4151B0D043196EDB109FBA8C89C5EBFE8FF05754B50452AE11DE7281DB78E9018F91

Function 001500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001500C6

Part of subcall function 001500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0020070C,00000FA0,15969FC6,?,?,?,?,001723B3,000000FF), ref: 0015011C
Part of subcall function 001500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001723B3,000000FF), ref: 00150127
Part of subcall function 001500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001723B3,000000FF), ref: 00150138
Part of subcall function 001500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0015014E
Part of subcall function 001500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0015015C
Part of subcall function 001500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0015016A
Part of subcall function 001500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00150195
Part of subcall function 001500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001501A0

___scrt_fastfail.LIBCMT ref: 001500E7

Part of subcall function 001500A3: __onexit.LIBCMT ref: 001500A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00150122
kernel32.dll, xrefs: 00150133
InitializeConditionVariable, xrefs: 00150148
SleepConditionVariableCS, xrefs: 00150154
WakeAllConditionVariable, xrefs: 00150162

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 21c7c95b2adc02b0980d69cf89563905964de22fc77dbd6c40220e13f163fdea
Instruction ID: 738d72aaf380f6b3eb7e40796d62d00d8cc8ecbcc6ee5ddbd8ed2c09670cee10
Opcode Fuzzy Hash: 21c7c95b2adc02b0980d69cf89563905964de22fc77dbd6c40220e13f163fdea
Instruction Fuzzy Hash: 86212C32640700EFE7125BE4AC8AF6977D4EB19B52F04012DFC15AAAE1DF74DC458AD1

Function 001930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0019318D
_wcslen.LIBCMT ref: 001931F8

Strings

INSTANCE, xrefs: 00193453
REGEXPCLASS, xrefs: 00193255, 00193266
NAME, xrefs: 00193335, 00193346
CLASSNN, xrefs: 001931F3, 00193204
TEXT, xrefs: 0019347C
CLASS, xrefs: 00193188, 001931A5

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: dc3b99d8f9c05e708452b211dac026cf63ce590c6ec943cf4161ab5f743f1e90
Instruction ID: a9e8dfe2a1a2337bff2a1ae0f4743a67802cdfa71b6004c9f9fa9562ca279b20
Opcode Fuzzy Hash: dc3b99d8f9c05e708452b211dac026cf63ce590c6ec943cf4161ab5f743f1e90
Instruction Fuzzy Hash: 0DE1D432A00516ABCF189FA8C4516FEFBB1BF58710F558129E576B7250DB30AF85C7A0

Function 001A44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,001CCC08), ref: 001A4527
_wcslen.LIBCMT ref: 001A453B
_wcslen.LIBCMT ref: 001A4599
_wcslen.LIBCMT ref: 001A45F4
_wcslen.LIBCMT ref: 001A463F
_wcslen.LIBCMT ref: 001A46A7

Part of subcall function 0014F9F2: _wcslen.LIBCMT ref: 0014F9FD

GetDriveTypeW.KERNEL32(?,001F6BF0,00000061), ref: 001A4743

Strings

network, xrefs: 001A469D, 001A46A2
fixed, xrefs: 001A4635, 001A463A
removable, xrefs: 001A45EA, 001A45EF
ramdisk, xrefs: 001A46F1
cdrom, xrefs: 001A458F, 001A4594
all, xrefs: 001A4531, 001A4536
unknown, xrefs: 001A4708

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 381cde04a2cf7c605c797ca6dcc278d043480463a4cf97aa4c5c420aca4036b8
Instruction ID: 7b6378b877897a24f5a091f2a7c01e218cb131296e009beb2c30f5d1b5be6b9c
Opcode Fuzzy Hash: 381cde04a2cf7c605c797ca6dcc278d043480463a4cf97aa4c5c420aca4036b8
Instruction Fuzzy Hash: D8B100796083029FC714DF28C890A7AB7E5BFE6724F50491DF49AC7291E7B0D845CBA2

Function 001C911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

DragQueryPoint.SHELL32(?,?), ref: 001C9147

Part of subcall function 001C7674: ClientToScreen.USER32(?,?), ref: 001C769A
Part of subcall function 001C7674: GetWindowRect.USER32(?,?), ref: 001C7710
Part of subcall function 001C7674: PtInRect.USER32(?,?,001C8B89), ref: 001C7720

SendMessageW.USER32(?,000000B0,?,?), ref: 001C91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001C91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001C91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 001C9225
SendMessageW.USER32(?,000000B0,?,?), ref: 001C923E
SendMessageW.USER32(?,000000B1,?,?), ref: 001C9255
SendMessageW.USER32(?,000000B1,?,?), ref: 001C9277
DragFinish.SHELL32(?), ref: 001C927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001C9371

Strings

p# , xrefs: 001C92BB
@GUI_DRAGID, xrefs: 001C92E9
@GUI_DROPID, xrefs: 001C929E
@GUI_DRAGFILE, xrefs: 001C9320

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#
API String ID: 221274066-1260850325
Opcode ID: 7f4ee665abd2dc311d61cd408e0818e30eeba569eb233131fc133f7e10ca9b84
Instruction ID: 7854f94377d3b0ef5b2563f73ffe5507332f7b95333da06d58200e77a4f67ff6
Opcode Fuzzy Hash: 7f4ee665abd2dc311d61cd408e0818e30eeba569eb233131fc133f7e10ca9b84
Instruction Fuzzy Hash: 71616B71108301AFD705DF64DC89EAFBBE8EFA8750F00091EF595922A1DB70DA49CB92

Function 0013326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00201990), ref: 00172F8D
GetMenuItemCount.USER32(00201990), ref: 0017303D
GetCursorPos.USER32(?), ref: 00173081
SetForegroundWindow.USER32(00000000), ref: 0017308A
TrackPopupMenuEx.USER32(00201990,00000000,?,00000000,00000000,00000000), ref: 0017309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001730A9

Strings

0, xrefs: 0013327D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 18831496fb97a75de3db0578e42bba6a3be53310703ba8f7f967f3fc224217d6
Instruction ID: b8cc6157a341956d2b325f3b35fbda4c327c1ca955661923263d0e4324889212
Opcode Fuzzy Hash: 18831496fb97a75de3db0578e42bba6a3be53310703ba8f7f967f3fc224217d6
Instruction Fuzzy Hash: F7711531644205BFEB258F64DC89FAABF74FF05364F208216F528AA1E1C7B1AD50DB90

Function 001C6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 001C6DEB

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001C6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001C6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001C6E94
DestroyWindow.USER32(?), ref: 001C6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00130000,00000000), ref: 001C6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001C6EFD
GetDesktopWindow.USER32 ref: 001C6F16
GetWindowRect.USER32(00000000), ref: 001C6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001C6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001C6F4D

Part of subcall function 00149944: GetWindowLongW.USER32(?,000000EB), ref: 00149952

Strings

0, xrefs: 001C6D98
tooltips_class32, xrefs: 001C6E58, 001C6EDD

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 22a42bdf3e2dbabc1abc2686773b28772f78a9cbf31ea3ba4b2ec4d20c97b1fe
Instruction ID: b75ffc7c3d8ea2e79c4069dd5bf819c8a41316708bc785f738f4a43defe38f42
Opcode Fuzzy Hash: 22a42bdf3e2dbabc1abc2686773b28772f78a9cbf31ea3ba4b2ec4d20c97b1fe
Instruction Fuzzy Hash: 8F714574104344AFDB21CF28D858FAABBE9FF99304F44481EF99987261C770E946DB52

Function 001AC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001AC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001AC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001AC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001AC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001AC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001AC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001AC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001AC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001AC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001AC5F0
InternetCloseHandle.WININET(00000000), ref: 001AC5FB

Strings

, xrefs: 001AC575

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: b9b2cf12cc9a8cd27218b20949bd2deb7bc90237f51115a2e2a2c8378bfff148
Instruction ID: 05b2c2675b8b4818c173ccb5fa73eda3ad2532653373d5880ceaca6632f1ceba
Opcode Fuzzy Hash: b9b2cf12cc9a8cd27218b20949bd2deb7bc90237f51115a2e2a2c8378bfff148
Instruction Fuzzy Hash: D0513BB5600705BFDB219FA4C948AAB7BFCFF09754F004419F94996610DB34ED449BE0

Function 001C856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 001C8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001C85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001C85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001C85BA
GlobalLock.KERNEL32(00000000), ref: 001C85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001C85D7
GlobalUnlock.KERNEL32(00000000), ref: 001C85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001C85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001C85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,001CFC38,?), ref: 001C8611
GlobalFree.KERNEL32(00000000), ref: 001C8621
GetObjectW.GDI32(?,00000018,?), ref: 001C8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001C8671
DeleteObject.GDI32(?), ref: 001C8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001C86AF

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1aa77d8a74eb684edf6b96ba0a9206d2ea49a34da5f14148f67f51ea1846dcf7
Instruction ID: 565192759069d6090fa2ac6d8d0e92fcd8133a42331d5e6705b59eef05d17806
Opcode Fuzzy Hash: 1aa77d8a74eb684edf6b96ba0a9206d2ea49a34da5f14148f67f51ea1846dcf7
Instruction Fuzzy Hash: 5F414875600208AFDB119FA5CC88EAABBB8FF99B11F108058F909E7660DB70DD41CB60

Function 001A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001A1502
VariantCopy.OLEAUT32(?,?), ref: 001A150B
VariantClear.OLEAUT32(?), ref: 001A1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001A15FB
VarR8FromDec.OLEAUT32(?,?), ref: 001A1657
VariantInit.OLEAUT32(?), ref: 001A1708
SysFreeString.OLEAUT32(?), ref: 001A178C
VariantClear.OLEAUT32(?), ref: 001A17D8
VariantClear.OLEAUT32(?), ref: 001A17E7
VariantInit.OLEAUT32(00000000), ref: 001A1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 001A1625
Default, xrefs: 001A16AF

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: d693106a20a181f6dfc8ccaa21a66dede7a10d0561194af610e4ab7f7517e834
Instruction ID: 711c129272eb86a687b7741a1fd0ba62935af1e4effe2b9aa76e8ecde4559b8d
Opcode Fuzzy Hash: d693106a20a181f6dfc8ccaa21a66dede7a10d0561194af610e4ab7f7517e834
Instruction Fuzzy Hash: E7D11E35E00505FBDB08AFA5E894B79B7B5BF47700F11805AE44AAF290DB30EC41DBA1

Function 001BB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 001BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BB6AE,?,?), ref: 001BC9B5
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BC9F1
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA68
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001BB772
RegDeleteValueW.ADVAPI32(?,?), ref: 001BB80A
RegCloseKey.ADVAPI32(?), ref: 001BB87E
RegCloseKey.ADVAPI32(?), ref: 001BB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001BB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001BB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 001BB922
FreeLibrary.KERNEL32(00000000), ref: 001BB983
RegCloseKey.ADVAPI32(00000000), ref: 001BB994

Strings

advapi32.dll, xrefs: 001BB8ED
RegDeleteKeyExW, xrefs: 001BB8FE

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 8cd1a3ca9d748b45ef2586b52137585af8c24df6436fb787a4162be0674cec72
Instruction ID: 7a48ad7682a10e243bbbaeb528b2eb78ed8b43e4a33f14f0d23d743e6060342c
Opcode Fuzzy Hash: 8cd1a3ca9d748b45ef2586b52137585af8c24df6436fb787a4162be0674cec72
Instruction Fuzzy Hash: C9C17974208201AFD714DF24C4D5F6ABBE5BF84318F14849CF59A8BAA2CBB1ED45CB91

Function 001B255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001B25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001B25E8
CreateCompatibleDC.GDI32(?), ref: 001B25F4
SelectObject.GDI32(00000000,?), ref: 001B2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001B266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001B26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001B26D0
SelectObject.GDI32(?,?), ref: 001B26D8
DeleteObject.GDI32(?), ref: 001B26E1
DeleteDC.GDI32(?), ref: 001B26E8
ReleaseDC.USER32(00000000,?), ref: 001B26F3

Strings

(, xrefs: 001B268D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c82af6290ee1463a74edd06feae9f9674ebc2b5cc04aa70296d263a10a333b26
Instruction ID: 6803b1a8eb106096888c69eab1e2ab025cf2b7983eae486903887d4ac0bd8003
Opcode Fuzzy Hash: c82af6290ee1463a74edd06feae9f9674ebc2b5cc04aa70296d263a10a333b26
Instruction Fuzzy Hash: 9A61D1B5D00219EFCB14CFA8D884EEEBBB6FF58310F248529E959A7250D770AD518F90

Function 0016DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0016DAA1

Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D659
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D66B
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D67D
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D68F
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D6A1
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D6B3
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D6C5
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D6D7
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D6E9
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D6FB
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D70D
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D71F
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D731

_free.LIBCMT ref: 0016DA96

Part of subcall function 001629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000), ref: 001629DE
Part of subcall function 001629C8: GetLastError.KERNEL32(00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000,00000000), ref: 001629F0

_free.LIBCMT ref: 0016DAB8
_free.LIBCMT ref: 0016DACD
_free.LIBCMT ref: 0016DAD8
_free.LIBCMT ref: 0016DAFA
_free.LIBCMT ref: 0016DB0D
_free.LIBCMT ref: 0016DB1B
_free.LIBCMT ref: 0016DB26
_free.LIBCMT ref: 0016DB5E
_free.LIBCMT ref: 0016DB65
_free.LIBCMT ref: 0016DB82
_free.LIBCMT ref: 0016DB9A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 0e1ea02c6fd4f112de3b452a618456d886e4e4119d779ccab206528f16583706
Instruction ID: b94dd31f52b23e6808411edacd89578883dbcbb6f8061572730c7dd40e419670
Opcode Fuzzy Hash: 0e1ea02c6fd4f112de3b452a618456d886e4e4119d779ccab206528f16583706
Instruction Fuzzy Hash: BB319A32B087049FEB25AA78EC41B6AB7E9FF61354F154429E448D7191DF30ECA0CB20

Function 0019365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0019369C
_wcslen.LIBCMT ref: 001936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00193797
GetClassNameW.USER32(?,?,00000400), ref: 0019380C
GetDlgCtrlID.USER32(?), ref: 0019385D
GetWindowRect.USER32(?,?), ref: 00193882
GetParent.USER32(?), ref: 001938A0
ScreenToClient.USER32(00000000), ref: 001938A7
GetClassNameW.USER32(?,?,00000100), ref: 00193921
GetWindowTextW.USER32(?,?,00000400), ref: 0019395D

Strings

%s%u, xrefs: 00193734

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 4ad0a542aa23ce667d1bb3e8d54227bf2ad6c6a96ed50664e48d809db475846f
Instruction ID: 3d3f39554952fd52a3802cef9cf6616d6619fd60050e9e7a217b43d98cf85547
Opcode Fuzzy Hash: 4ad0a542aa23ce667d1bb3e8d54227bf2ad6c6a96ed50664e48d809db475846f
Instruction Fuzzy Hash: 5191B171204606EFDB19DF64C885FAAF7A9FF44354F008629F9A9C6190DB30EA46CBD1

Function 00194954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00194994
GetWindowTextW.USER32(?,?,00000400), ref: 001949DA
_wcslen.LIBCMT ref: 001949EB
CharUpperBuffW.USER32(?,00000000), ref: 001949F7
_wcsstr.LIBVCRUNTIME ref: 00194A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00194A64
GetWindowTextW.USER32(?,?,00000400), ref: 00194A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00194AE6
GetClassNameW.USER32(?,?,00000400), ref: 00194B20
GetWindowRect.USER32(?,?), ref: 00194B8B

Strings

ThumbnailClass, xrefs: 00194A6F, 00194AF1

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 8e0c7e6b961f804b50d3c8345f7847a175124890d4744c687ae86d216a5c10f7
Instruction ID: dcefbe79aa04e3131c10bba31bd9d637d3f2e4b450bdb615c2f11b21a59f019b
Opcode Fuzzy Hash: 8e0c7e6b961f804b50d3c8345f7847a175124890d4744c687ae86d216a5c10f7
Instruction Fuzzy Hash: 3E91BD721082059FDF04CF14C985FAA7BE9FF94314F048469FD8A9A196EB30ED46CBA1

Function 001C8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001C8D5A
GetFocus.USER32 ref: 001C8D6A
GetDlgCtrlID.USER32(00000000), ref: 001C8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 001C8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001C8ECF
GetMenuItemCount.USER32(?), ref: 001C8EEC
GetMenuItemID.USER32(?,00000000), ref: 001C8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001C8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001C8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001C8FA1

Strings

0, xrefs: 001C8E9F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: e3affac1dd369ebf96b43909f6eb4a9c8911ea56162f869f539420143eabdf3d
Instruction ID: 63b3428676e231e6acaa6c3110aa7fb73d020b4e3ac9cfbb5bf87a43afcd6043
Opcode Fuzzy Hash: e3affac1dd369ebf96b43909f6eb4a9c8911ea56162f869f539420143eabdf3d
Instruction Fuzzy Hash: 09819B71608311AFDB10CF24D884FABBBE9FBA9314F04091DF98997291DB70D941CBA2

Function 0019DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0019DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0019DC46
_wcslen.LIBCMT ref: 0019DC50
_wcsstr.LIBVCRUNTIME ref: 0019DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0019DCBC

Strings

\VarFileInfo\Translation, xrefs: 0019DCB4
04090000, xrefs: 0019DCF2
StringFileInfo\, xrefs: 0019DC8F
DefaultLangCodepage, xrefs: 0019DD1F
%u.%u.%u.%u, xrefs: 0019DD9A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a0f5a3eb31ecc995d37c66fc75da855b6f4091f0643ae2a85e9c6afb20f52a10
Instruction ID: 91ef42d8335fd3940af421b3ae9984eaee8fba7a13eda9efc756f502055b6df9
Opcode Fuzzy Hash: a0f5a3eb31ecc995d37c66fc75da855b6f4091f0643ae2a85e9c6afb20f52a10
Instruction Fuzzy Hash: 79412472940204BADB14ABB4AC07EBF77ACEF61751F10006DF905BA1D2EB74DD0587A5

Function 001BCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001BCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001BCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001BCD48

Part of subcall function 001BCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001BCCAA
Part of subcall function 001BCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001BCCBD
Part of subcall function 001BCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001BCCCF
Part of subcall function 001BCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001BCD05
Part of subcall function 001BCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001BCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 001BCCF3

Strings

advapi32.dll, xrefs: 001BCCB8
RegDeleteKeyExW, xrefs: 001BCCC9

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 32ba08a1f1b93322044156b67cda2da3d5c830719d2de11470398e5c11d6aed4
Instruction ID: 1194270bf52c24247669036e5844ea06bdf1aa8addce2ca3be0bb6fb1ffcbe6b
Opcode Fuzzy Hash: 32ba08a1f1b93322044156b67cda2da3d5c830719d2de11470398e5c11d6aed4
Instruction Fuzzy Hash: 3D316A75901129BBDB209B95DC88EFFBF7CEF55750F000169F90AE2240DB349E85AAE0

Function 001A3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001A3D40
_wcslen.LIBCMT ref: 001A3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 001A3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001A3DBE
RemoveDirectoryW.KERNEL32(?), ref: 001A3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001A3E55
CloseHandle.KERNEL32(00000000), ref: 001A3E60
CloseHandle.KERNEL32(00000000), ref: 001A3E6B

Strings

\, xrefs: 001A3D77
:, xrefs: 001A3D82
\??\%s, xrefs: 001A3D5B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: ce29a03666eb66969ce272bb3c2154641427840038447150c779b1e5b8c4e62c
Instruction ID: fc8619d6ead600f5298eb5e2a4215229add77aa147d2c23233ac3a010abd6682
Opcode Fuzzy Hash: ce29a03666eb66969ce272bb3c2154641427840038447150c779b1e5b8c4e62c
Instruction Fuzzy Hash: 9C31A176900209ABDB219BA0DC49FEB3BBDEF89740F5040A5F919D6160E774D7888B64

Function 0019E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0019E6B4

Part of subcall function 0014E551: timeGetTime.WINMM(?,?,0019E6D4), ref: 0014E555

Sleep.KERNEL32(0000000A), ref: 0019E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0019E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0019E727
SetActiveWindow.USER32 ref: 0019E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0019E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0019E773
Sleep.KERNEL32(000000FA), ref: 0019E77E
IsWindow.USER32 ref: 0019E78A
EndDialog.USER32(00000000), ref: 0019E79B

Strings

BUTTON, xrefs: 0019E719

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a867b1cc0fbb762b388b2f57bb001be98eeb4d003a86900506ea3e1b3b8e8df4
Instruction ID: be73634b8931ba4d0ddd28296ede46554af308a660d3263a376bfdec7d77ddd9
Opcode Fuzzy Hash: a867b1cc0fbb762b388b2f57bb001be98eeb4d003a86900506ea3e1b3b8e8df4
Instruction Fuzzy Hash: 75215E70600315EFEF009FA0FC8DE253FADF754748F140425F91982AA2DB62EC848BA5

Function 0019E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0019EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0019EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0019EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0019EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0019EAA7

Strings

status PlayMe mode, xrefs: 0019EA58
close PlayMe, xrefs: 0019EA6E, 0019EA9B
alias PlayMe, xrefs: 0019EA36
play PlayMe wait, xrefs: 0019EA91
play PlayMe, xrefs: 0019EAA2
open , xrefs: 0019EA0C

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: cb1ce81a2fd94c2ab3f691772c134a616bf82fb3052ed1412a7f956e3100889c
Instruction ID: c1f825ccb279aa53b26313332bffa9f338b772eb658ee744eafc1832bec80fae
Opcode Fuzzy Hash: cb1ce81a2fd94c2ab3f691772c134a616bf82fb3052ed1412a7f956e3100889c
Instruction Fuzzy Hash: 3E112131A9025D7DDB20E7A2DC4AEFF6ABCFBD1B44F400429B511A20D1EBB05D45C6B0

Function 00195CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00195CE2
GetWindowRect.USER32(00000000,?), ref: 00195CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00195D59
GetDlgItem.USER32(?,00000002), ref: 00195D69
GetWindowRect.USER32(00000000,?), ref: 00195D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00195DCF
GetDlgItem.USER32(?,000003E9), ref: 00195DDD
GetWindowRect.USER32(00000000,?), ref: 00195DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00195E31
GetDlgItem.USER32(?,000003EA), ref: 00195E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00195E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00195E67

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6c40ed6316e70df8831e8d5ec5a862d94b9609fe28f336293dc6e7c4a5b7c3c9
Instruction ID: da3fc96dd92870a6747e03f25a05d6901284038f287e160f4f8b99ea84606fb4
Opcode Fuzzy Hash: 6c40ed6316e70df8831e8d5ec5a862d94b9609fe28f336293dc6e7c4a5b7c3c9
Instruction Fuzzy Hash: 95510FB1A00615AFDF19CFA8DD89EAEBBB6FB48300F148129F519E6690D770DE40CB50

Function 00148BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00148F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00148BE8,?,00000000,?,?,?,?,00148BBA,00000000,?), ref: 00148FC5

DestroyWindow.USER32(?), ref: 00148C81
KillTimer.USER32(00000000,?,?,?,?,00148BBA,00000000,?), ref: 00148D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00186973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00148BBA,00000000,?), ref: 001869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00148BBA,00000000,?), ref: 001869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00148BBA,00000000), ref: 001869D4
DeleteObject.GDI32(00000000), ref: 001869E6

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 88752f626fe89ba1dce50828a4482309467583626aa0ba085f07df95e4ccd068
Instruction ID: 3645c08995d6fa60e6d8b9cb60a5728893b6fbcdad54c220a75122445e1ea377
Opcode Fuzzy Hash: 88752f626fe89ba1dce50828a4482309467583626aa0ba085f07df95e4ccd068
Instruction Fuzzy Hash: B1618D30902714DFDB29AF14D998B69BBF1FB50316F144518E0469B9B0CB71AEE0DF90

Function 00149838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00149944: GetWindowLongW.USER32(?,000000EB), ref: 00149952

GetSysColor.USER32(0000000F), ref: 00149862

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d561f009c2e7338a34815627a417d90ebae95dd054a7aea97ea84227d764216e
Instruction ID: 601f723e5357fd78a3ee3546de28b314a7da29cf8f6befd5b677a240cda68e21
Opcode Fuzzy Hash: d561f009c2e7338a34815627a417d90ebae95dd054a7aea97ea84227d764216e
Instruction Fuzzy Hash: 8D41A131104648AFDB209F3C9C88FBA3BA5AB46330F284615FAA6871F1C731DD82DB50

Function 001996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0017F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00199717
LoadStringW.USER32(00000000,?,0017F7F8,00000001), ref: 00199720

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0017F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00199742
LoadStringW.USER32(00000000,?,0017F7F8,00000001), ref: 00199745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00199866

Strings

Line %d:, xrefs: 001997A0
%s (%d) : ==> %s: %s %s, xrefs: 0019984A
Line %d (File "%s"):, xrefs: 0019978F
^ ERROR, xrefs: 001997FB
Error: , xrefs: 0019981D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 4321349a393a679689072e4b8b4c2a07ea87518dbc3b02317fe031b1fb2be526
Instruction ID: 7eeeb5324e3945fe7b51d68bb9bc84cd038d0d9327a27658531b6176dcdcc772
Opcode Fuzzy Hash: 4321349a393a679689072e4b8b4c2a07ea87518dbc3b02317fe031b1fb2be526
Instruction Fuzzy Hash: 03413F7280420DAACF04FBE4DE46EEEB778AF65340F504069F60572092EB756F49CB61

Function 001906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00190804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0019082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00190837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0019083C

Strings

\IPC$, xrefs: 00190784
SOFTWARE\Classes\, xrefs: 0019070E
\CLSID, xrefs: 00190724

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: e2ba528f32977ee212c67e2ff270f353a5cd801bd0161a74b292ed8d55d2f638
Instruction ID: 7917b9f0909bbcae0dff350b3535569549ff95b5594a8e554608715271711eed
Opcode Fuzzy Hash: e2ba528f32977ee212c67e2ff270f353a5cd801bd0161a74b292ed8d55d2f638
Instruction Fuzzy Hash: 4D412472D00228AFCF15EBA4DC85CEEB7B8BF58350F444169E905A31A0EB709E44CBA0

Function 001B3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B3C5C
CoInitialize.OLE32(00000000), ref: 001B3C8A
CoUninitialize.OLE32 ref: 001B3C94
_wcslen.LIBCMT ref: 001B3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 001B3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 001B3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001B3F0E
CoGetObject.OLE32(?,00000000,001CFB98,?), ref: 001B3F2D
SetErrorMode.KERNEL32(00000000), ref: 001B3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001B3FC4
VariantClear.OLEAUT32(?), ref: 001B3FD8

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: eb6b96b1e5058caaee4dedd3deba9283875601e6a3d2a8e06160abf730e77a94
Instruction ID: 87f1596187a7c82b6f6e5b85287182899e5dfb4c025d8435bb7a1c0167cd8ffc
Opcode Fuzzy Hash: eb6b96b1e5058caaee4dedd3deba9283875601e6a3d2a8e06160abf730e77a94
Instruction Fuzzy Hash: 71C145716083059FC704DF68C88496BBBE9FF89744F14491DF99A9B250DB30EE46CB92

Function 001A7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001A7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001A7B8F
SHGetDesktopFolder.SHELL32(?), ref: 001A7BA3
CoCreateInstance.OLE32(001CFD08,00000000,00000001,001F6E6C,?), ref: 001A7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001A7C74
CoTaskMemFree.OLE32(?,?), ref: 001A7CCC
SHBrowseForFolderW.SHELL32(?), ref: 001A7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001A7D7A
CoTaskMemFree.OLE32(00000000), ref: 001A7D81
CoTaskMemFree.OLE32(00000000), ref: 001A7DD6
CoUninitialize.OLE32 ref: 001A7DDC

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: e34aee0412fbc692f56ba352e25d7cbcabe9558487d52676b7184acd3b30d6ec
Instruction ID: 3c2755774643776c924a1eaa51ac1dbee33ba996ae9903a76eb0705d2dee2c9c
Opcode Fuzzy Hash: e34aee0412fbc692f56ba352e25d7cbcabe9558487d52676b7184acd3b30d6ec
Instruction Fuzzy Hash: 99C11975A04209AFCB14DFA4C884DAEBBF9FF49314F148499E81A9B661D730EE45CB90

Function 001C541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001C5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C5515
CharNextW.USER32(00000158), ref: 001C5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001C5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001C559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C55AC

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 9897a278442dac35c66aa00ac6b57ac384645950eb018b90274b9162eb9433a9
Instruction ID: 55614c620c0f7b018463c1726e2808605389b027b1cfbe995a81120a49c00abb
Opcode Fuzzy Hash: 9897a278442dac35c66aa00ac6b57ac384645950eb018b90274b9162eb9433a9
Instruction Fuzzy Hash: EC619F30900618EFDF148F94CC84EFE7BBAEB29724F104149F925A6291D770EAC0DB61

Function 0018FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0018FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0018FB08
VariantInit.OLEAUT32(?), ref: 0018FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0018FB3A
VariantCopy.OLEAUT32(?,?), ref: 0018FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0018FBA1
VariantClear.OLEAUT32(?), ref: 0018FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0018FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0018FBCC
VariantClear.OLEAUT32(?), ref: 0018FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0018FBE9

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f5b207c03b0cfc08bc64596406d42db0672bd856415de1e58a173f8b53952398
Instruction ID: e250df2cd05b5e747cbeb786d4be4456c570a02ce8a35a9a17f93aa5ba759338
Opcode Fuzzy Hash: f5b207c03b0cfc08bc64596406d42db0672bd856415de1e58a173f8b53952398
Instruction Fuzzy Hash: 9D412135A002199FCB04EF64D854DAEBBB9FF58354F008069E959A7661D730EE46CF90

Function 00199C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00199CA1
GetAsyncKeyState.USER32(000000A0), ref: 00199D22
GetKeyState.USER32(000000A0), ref: 00199D3D
GetAsyncKeyState.USER32(000000A1), ref: 00199D57
GetKeyState.USER32(000000A1), ref: 00199D6C
GetAsyncKeyState.USER32(00000011), ref: 00199D84
GetKeyState.USER32(00000011), ref: 00199D96
GetAsyncKeyState.USER32(00000012), ref: 00199DAE
GetKeyState.USER32(00000012), ref: 00199DC0
GetAsyncKeyState.USER32(0000005B), ref: 00199DD8
GetKeyState.USER32(0000005B), ref: 00199DEA

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a6b36ec9ff4e38e7e286ed4a1bc9823b542985d8cddec14faeba7afea72a7ac3
Instruction ID: e1831e01a4a804cccb8401aa04ecdf5fe0b26f5e7275a5b16c5072c0c6ffb262
Opcode Fuzzy Hash: a6b36ec9ff4e38e7e286ed4a1bc9823b542985d8cddec14faeba7afea72a7ac3
Instruction Fuzzy Hash: 7E41CD349047CA6DFF3597A8C8447B5BEE06F12344F04805ED6C6565C2EBA59DC4C792

Function 001B055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001B05BC
inet_addr.WSOCK32(?), ref: 001B061C
gethostbyname.WSOCK32(?), ref: 001B0628
IcmpCreateFile.IPHLPAPI ref: 001B0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001B06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001B06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001B07B9
WSACleanup.WSOCK32 ref: 001B07BF

Strings

Ping, xrefs: 001B0676

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 25780caea20e371440b5ed6a4b3c2241745a2c68c8b07eae6502de7795525027
Instruction ID: c49ebdeeeb991eeabcb4741e28379337c3b41da08d56d6d2238ac1872e551bc9
Opcode Fuzzy Hash: 25780caea20e371440b5ed6a4b3c2241745a2c68c8b07eae6502de7795525027
Instruction Fuzzy Hash: 9A918E355042019FD321DF15C888F5BBBE4AF48318F1585A9F4A99BBA2CB30ED45CF91

Function 001B8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 001B8CF3

Part of subcall function 00198E54: _wcslen.LIBCMT ref: 00198E77

_wcslen.LIBCMT ref: 001B8D4E
_wcslen.LIBCMT ref: 001B8D9C
_wcslen.LIBCMT ref: 001B8DDC
_wcslen.LIBCMT ref: 001B8E6E

Strings

winapi, xrefs: 001B8D96, 001B8D9B
stdcall, xrefs: 001B8DD6, 001B8DDB
none, xrefs: 001B8E65, 001B8E6A
cdecl, xrefs: 001B8D48, 001B8D4D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: c667d3e70d62de180c38a4c321b49bdad885b0fe6233888daa37e2b49db0c6b1
Instruction ID: d30abb6ff3aac31f2f2804367f93a56de08579592657e0b485ee472831c5229b
Opcode Fuzzy Hash: c667d3e70d62de180c38a4c321b49bdad885b0fe6233888daa37e2b49db0c6b1
Instruction Fuzzy Hash: DB519331A0411A9BCF14DFACC9519FEB7A9BF64B24B21422AE966E72C4DF31DD40C790

Function 001B372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001B3774
CoUninitialize.OLE32 ref: 001B377F
CoCreateInstance.OLE32(?,00000000,00000017,001CFB78,?), ref: 001B37D9
IIDFromString.OLE32(?,?), ref: 001B384C
VariantInit.OLEAUT32(?), ref: 001B38E4
VariantClear.OLEAUT32(?), ref: 001B3936

Strings

Failed to create object, xrefs: 001B37E4, 001B389A
Invalid parameter, xrefs: 001B3865
NULL Pointer assignment, xrefs: 001B381E

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: f05040ffe523665e104a46cd00ce039e4612489afaa0bedad213f4711add96d5
Instruction ID: ddc1f9a7c4ffbf641149d329fdfbe3d921602cf06574be2ce4470624a4de3899
Opcode Fuzzy Hash: f05040ffe523665e104a46cd00ce039e4612489afaa0bedad213f4711add96d5
Instruction Fuzzy Hash: 0161D371608301AFD711DF54C888FAABBE8EF59710F00490DF9959B291DB70EE59CB92

Function 001C8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

Part of subcall function 0014912D: GetCursorPos.USER32(?), ref: 00149141
Part of subcall function 0014912D: ScreenToClient.USER32(00000000,?), ref: 0014915E
Part of subcall function 0014912D: GetAsyncKeyState.USER32(00000001), ref: 00149183
Part of subcall function 0014912D: GetAsyncKeyState.USER32(00000002), ref: 0014919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 001C8B6B
ImageList_EndDrag.COMCTL32 ref: 001C8B71
ReleaseCapture.USER32 ref: 001C8B77
SetWindowTextW.USER32(?,00000000), ref: 001C8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001C8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 001C8CFF

Strings

p# , xrefs: 001C8C71
@GUI_DROPID, xrefs: 001C8C51
@GUI_DRAGFILE, xrefs: 001C8C9A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#
API String ID: 1924731296-1206455525
Opcode ID: 9ed0bcfe59d5a2aca13f4d9c8b1bb57e86761fa4121a7d0d50545069a7c6e9ee
Instruction ID: db88cc713b0b1f5fe2043d8f56a2136b79438335a7f9b45397589cd9a1d3474d
Opcode Fuzzy Hash: 9ed0bcfe59d5a2aca13f4d9c8b1bb57e86761fa4121a7d0d50545069a7c6e9ee
Instruction Fuzzy Hash: ED514A71104304AFD704DF14D89AFAA77E4EB98714F40062DF996672E2DB70DD54CBA2

Function 001A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001A33CF

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001A33F0

Strings

Line %d (File "%s"):, xrefs: 001A3443, 001A345C
"%s" (%d) : ==> %s:%s%s, xrefs: 001A3504
^ ERROR , xrefs: 001A349E
Error: , xrefs: 001A34D1
Incorrect parameters to object property !, xrefs: 001A34AB
"%s" (%d) : ==> %s:, xrefs: 001A3522

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: a7d94437e2bbe444ce4aad50cac5142e8bd8ba02859ab674ee8ca166b437b78b
Instruction ID: 2eacf3673529af1f5edd66668c864a3d015964657ffa9032f624cc47063d0b54
Opcode Fuzzy Hash: a7d94437e2bbe444ce4aad50cac5142e8bd8ba02859ab674ee8ca166b437b78b
Instruction Fuzzy Hash: D7518C72D00209AADF15EBE0DD46EEEB778EF25340F1080A5F519720A2EB716F58DB61

Function 0019B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0019B5FC
_wcslen.LIBCMT ref: 0019B608
_wcslen.LIBCMT ref: 0019B64D
_wcslen.LIBCMT ref: 0019B68C
_wcslen.LIBCMT ref: 0019B6C7

Strings

APPEND, xrefs: 0019B6C1, 0019B6C6
REMOVE, xrefs: 0019B602, 0019B607
KEYS, xrefs: 0019B647, 0019B64C
EXISTS, xrefs: 0019B686, 0019B68B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 6689feaaaa98a01298a92c075f1fa9e8d41fe0c331d7b45465a841cbb6147dc9
Instruction ID: 69124c4dfc5bce43c457c876206ae21377e005ab0b58cceba2614a75646e674e
Opcode Fuzzy Hash: 6689feaaaa98a01298a92c075f1fa9e8d41fe0c331d7b45465a841cbb6147dc9
Instruction Fuzzy Hash: 9941F832A080269BCF106F7DDED15BE77A5BFA0B58B254229E421DB284E731ED81C790

Function 001A5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001A53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001A5416
GetLastError.KERNEL32 ref: 001A5420
SetErrorMode.KERNEL32(00000000,READY), ref: 001A54A7

Strings

READONLY, xrefs: 001A5452
NOTREADY, xrefs: 001A544B
INVALID, xrefs: 001A5459
READY, xrefs: 001A5460, 001A5468
UNKNOWN, xrefs: 001A5444

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ec6a7ae05976c65e39376bce6625991db3bc092c4a660d943e0885a9a3de3b24
Instruction ID: 984c337c2ea727a6f5e7201bdfbcf252373db99e944c6075cec119dc4bb21a58
Opcode Fuzzy Hash: ec6a7ae05976c65e39376bce6625991db3bc092c4a660d943e0885a9a3de3b24
Instruction Fuzzy Hash: 9A31D439A04608DFC714DF68C484EAE7BB5FF5A305F188065E505DB692E770ED86CBA0

Function 001C3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 001C3C79
SetMenu.USER32(?,00000000), ref: 001C3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001C3D10
IsMenu.USER32(?), ref: 001C3D24
CreatePopupMenu.USER32 ref: 001C3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001C3D5B
DrawMenuBar.USER32 ref: 001C3D63

Strings

0, xrefs: 001C3C54
F, xrefs: 001C3D4E

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: a19349e8195630e802c172ce58e7b55de00879b3635f893021ef069f00feac0c
Instruction ID: b34c212e63fe78d22fe39a35cce6332e87f55b3586c3545b33a02db302d41dd9
Opcode Fuzzy Hash: a19349e8195630e802c172ce58e7b55de00879b3635f893021ef069f00feac0c
Instruction Fuzzy Hash: 4F413679A01209AFDB14CFA4E844FAA7BB5FF59350F14402DE95AA7360D730EE50CB94

Function 00191EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 00193CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00193CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00191F64
GetDlgCtrlID.USER32 ref: 00191F6F
GetParent.USER32 ref: 00191F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00191F8E
GetDlgCtrlID.USER32(?), ref: 00191F97
GetParent.USER32(?), ref: 00191FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00191FAE

Strings

ComboBox, xrefs: 00191EEC
ListBox, xrefs: 00191F21

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ab05b3fa0bb5d4a73dbfd337ad92115b70ef5a7b23a75f22fef2fb483ccf30ae
Instruction ID: b5039e503270cea7fc86961b9f06932c63b3f2965dfbdb84ac05e5f7ef889184
Opcode Fuzzy Hash: ab05b3fa0bb5d4a73dbfd337ad92115b70ef5a7b23a75f22fef2fb483ccf30ae
Instruction Fuzzy Hash: 1F21D170900218BBCF05AFA0DC85DFEBFB9EF15350F000156F969A72A1CB759949DBA0

Function 001C3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001C3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001C3AA0
GetWindowLongW.USER32(?,000000F0), ref: 001C3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001C3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001C3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001C3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001C3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001C3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001C3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001C3C13

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: cbd5c41cbe966d41b010bfeb9b7e8e01fde26cf69f8b7d75aec5c6a90e9cfdd1
Instruction ID: aca901801718218c27beb91c35acdf18b70f97fefbca80b0156631b43d6b1ddd
Opcode Fuzzy Hash: cbd5c41cbe966d41b010bfeb9b7e8e01fde26cf69f8b7d75aec5c6a90e9cfdd1
Instruction Fuzzy Hash: A6616975A00248AFDB10DFA8CC85FEE77B8EB19700F10419AFA15A72A2D770EE55DB50

Function 0019B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0019B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B165
GetWindowThreadProcessId.USER32(00000000), ref: 0019B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0019B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B21D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 64aca38fdfc6fe7f0f1c50e7179230255c275d8f255871cd8db337f04677bbf7
Instruction ID: 2d9b19cb019a5d5f8e52b0e1013db0c7c33be45053fdad0c8054102a6aa00cad
Opcode Fuzzy Hash: 64aca38fdfc6fe7f0f1c50e7179230255c275d8f255871cd8db337f04677bbf7
Instruction Fuzzy Hash: 75316579504304AFDF10DF24FE88FAA7BAAFB51311F104019FA0996291D7B4AE818BA0

Function 00162C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00162C94

Part of subcall function 001629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000), ref: 001629DE
Part of subcall function 001629C8: GetLastError.KERNEL32(00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000,00000000), ref: 001629F0

_free.LIBCMT ref: 00162CA0
_free.LIBCMT ref: 00162CAB
_free.LIBCMT ref: 00162CB6
_free.LIBCMT ref: 00162CC1
_free.LIBCMT ref: 00162CCC
_free.LIBCMT ref: 00162CD7
_free.LIBCMT ref: 00162CE2
_free.LIBCMT ref: 00162CED
_free.LIBCMT ref: 00162CFB

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a6e493c1676857dd415c46b3cf9f988fe2518390d99cd7243be417a0cf13ef3
Instruction ID: 92ec0fdff666860d5eac6dbaf0b616839a152ca4e6f946a0cdc64f9ddd5dde00
Opcode Fuzzy Hash: 1a6e493c1676857dd415c46b3cf9f988fe2518390d99cd7243be417a0cf13ef3
Instruction Fuzzy Hash: 2511C376600518BFCB06EF54DC82CDD3BA5FF55394F4144A1FA489B222DB31EA609B90

Function 001A7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001A7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 001A7FC1
GetFileAttributesW.KERNEL32(?), ref: 001A7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 001A8005
SetCurrentDirectoryW.KERNEL32(?), ref: 001A8017
SetCurrentDirectoryW.KERNEL32(?), ref: 001A8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001A80B0

Strings

*.*, xrefs: 001A8066

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 07f572e21d46358388d4b72b11e3d77aa9eb8f969e49a35788e7a162ff33d485
Instruction ID: d9643d4802e8603df41e39d5eb8464f587b4d58057da3a2d1c6cc81036d51092
Opcode Fuzzy Hash: 07f572e21d46358388d4b72b11e3d77aa9eb8f969e49a35788e7a162ff33d485
Instruction Fuzzy Hash: 4081B17A5083419BCB24EF14C8449AEB7E8BF9A310F144C5EF885D7291EB35DE49CB92

Function 00135BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00135C7A

Part of subcall function 00135D0A: GetClientRect.USER32(?,?), ref: 00135D30
Part of subcall function 00135D0A: GetWindowRect.USER32(?,?), ref: 00135D71
Part of subcall function 00135D0A: ScreenToClient.USER32(?,?), ref: 00135D99

GetDC.USER32 ref: 001746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00174708
SelectObject.GDI32(00000000,00000000), ref: 00174716
SelectObject.GDI32(00000000,00000000), ref: 0017472B
ReleaseDC.USER32(?,00000000), ref: 00174733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001747C4

Strings

U, xrefs: 00174693

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c5ec04c61c13eb9d3a3584cfacc4e9cac5b7d8942450747d677e2cf901f9a21a
Instruction ID: 88adfd4fe86a3b0d58ad2a675c9aac9f498c966a50719297300d91c0feeb088b
Opcode Fuzzy Hash: c5ec04c61c13eb9d3a3584cfacc4e9cac5b7d8942450747d677e2cf901f9a21a
Instruction Fuzzy Hash: 1671DF35400205DFCF2A8F64C984ABA7BB6FF5A364F188269F9595A266C331DC81DF50

Function 001A359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001A35E4

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

LoadStringW.USER32(00202390,?,00000FFF,?), ref: 001A360A

Strings

Line %d (File "%s"):, xrefs: 001A366B
^ ERROR, xrefs: 001A36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 001A3724
Error: , xrefs: 001A36EF
"%s" (%d) : ==> %s:, xrefs: 001A3742

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 1cf7254cf91524de2259dd52fae97453ee0fced0cc333fd3a79512ff723a0aae
Instruction ID: 87226bdfcd7a7680e306afe6c410715ea191b03b1a8c48b947edde61237e57bf
Opcode Fuzzy Hash: 1cf7254cf91524de2259dd52fae97453ee0fced0cc333fd3a79512ff723a0aae
Instruction Fuzzy Hash: 86515B72800209BBDF15EBE0DC46EEEBB78AF25300F144169F115721A2EB715B99DFA1

Function 001AC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001AC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001AC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001AC2CA
GetLastError.KERNEL32 ref: 001AC322
SetEvent.KERNEL32(?), ref: 001AC336
InternetCloseHandle.WININET(00000000), ref: 001AC341

Strings

, xrefs: 001AC2BB

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6aab719ec09341bfb0629011f21cb805e950f297896675b3afb51218ad70c52e
Instruction ID: 01277b150396af25ca8e0bad29c1018930abcc31d21a98ab7d2e69db0036f4f1
Opcode Fuzzy Hash: 6aab719ec09341bfb0629011f21cb805e950f297896675b3afb51218ad70c52e
Instruction Fuzzy Hash: B9318DB5500304AFDB219FA48888AAB7AFCFF5A740F10851EF44A92600DB30DD459BE1

Function 0019989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00173AAF,?,?,Bad directive syntax error,001CCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001998BC
LoadStringW.USER32(00000000,?,00173AAF,?), ref: 001998C3

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00199987

Strings

Line %d:, xrefs: 00199912
Line %d (File "%s"):, xrefs: 0019992D
%s (%d) : ==> %s.: %s %s, xrefs: 001998F1
Error: , xrefs: 00199955
., xrefs: 0019996D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 8fb48aec3d510d399729ac821c727fad574ce5862675a86f3d0bf4ad7a33edf7
Instruction ID: 46a9d6eeaa3b90be4c01c4ad50276308199051c91f5cc27b92426522135dcba9
Opcode Fuzzy Hash: 8fb48aec3d510d399729ac821c727fad574ce5862675a86f3d0bf4ad7a33edf7
Instruction Fuzzy Hash: F2214F3194021EEBCF15AF90CC0AEEE7779FF28704F044469F619660A2EB719A58DB51

Function 0019209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0019214D

Strings

SHELLDLL_DefView, xrefs: 001920CC
smallicons, xrefs: 00192115
list, xrefs: 0019212F
largeicons, xrefs: 001920E1
details, xrefs: 001920FB

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a6ea1c9ad10c6a4c179b67af2c410ef9decbed399a357882939dc8732ff94c6e
Instruction ID: 7464f19d6d9e00d26e5148c4214bbc3de0010835042be609a6d856a2066ff899
Opcode Fuzzy Hash: a6ea1c9ad10c6a4c179b67af2c410ef9decbed399a357882939dc8732ff94c6e
Instruction Fuzzy Hash: E611367668871ABAFF052220DC0ACF6379ECB14729F200026FB05A90D2EB71AC955654

Function 00168D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc073374358d5020fad1d82f152cc48d184f525dece1f3506171157e88106528
Instruction ID: fb242f5df69bc7b675c684e5f09bbd52edbfa672d42728ef498527ddc45db39b
Opcode Fuzzy Hash: fc073374358d5020fad1d82f152cc48d184f525dece1f3506171157e88106528
Instruction Fuzzy Hash: 09C1E3B4904249EFDF11DFA8DC45BADBBB8AF19310F044199F815AB392CB309952CB61

Function 0016CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0016CEB7
_free.LIBCMT ref: 0016CF22
_free.LIBCMT ref: 0016CF48
_free.LIBCMT ref: 0016CF71
_free.LIBCMT ref: 0016CFA9
_free.LIBCMT ref: 0016CFDA
_free.LIBCMT ref: 0016D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0016D09C
_free.LIBCMT ref: 0016D0B5

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0c6b4e5c23b8e2fc292b166595da1bedbebd6c24c3ff0c8b691556f577d727d4
Instruction ID: 31a268db35ac02665921ad7af91b187ed8df0cd6b66da71b3acc707351b27ee7
Opcode Fuzzy Hash: 0c6b4e5c23b8e2fc292b166595da1bedbebd6c24c3ff0c8b691556f577d727d4
Instruction Fuzzy Hash: 45617871A04311AFDF25AFB4AC85B7E7BA5EF15350F0441ADF98497282DB329D2187E0

Function 001C50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 001C5186
ShowWindow.USER32(?,00000000), ref: 001C51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001C51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001C51D1

Part of subcall function 001C6FBA: DeleteObject.GDI32(00000000), ref: 001C6FE6

GetWindowLongW.USER32(?,000000F0), ref: 001C520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001C521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001C524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 001C5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 001C5296

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: c03ec4e4590ac268c6cbaf6a243e4a59938cefc866934b73d538bb49c15c7544
Instruction ID: 897f70e987f08898c561f5dc1eb4b0d3d82c8fbb7066c2c38c56ad5bee15ad29
Opcode Fuzzy Hash: c03ec4e4590ac268c6cbaf6a243e4a59938cefc866934b73d538bb49c15c7544
Instruction Fuzzy Hash: 5A51BD30A40A08FEEF249F24CC4AFD97BA6EB25365F58401AF619962E1C771F9D0DB41

Function 00148B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00186890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00148874,00000000,00000000,00000000,000000FF,00000000), ref: 00186901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0018691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00148874,00000000,00000000,00000000,000000FF,00000000), ref: 0018692D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: d026e5c857e3d6c89626c9a17b4649ccb0b808ae05723e77c5e01e29af5bdf3e
Instruction ID: 42b5991b02450539c04dc1e55d51273c4d5c53037199e8815e1379f5f1747bf8
Opcode Fuzzy Hash: d026e5c857e3d6c89626c9a17b4649ccb0b808ae05723e77c5e01e29af5bdf3e
Instruction Fuzzy Hash: DA515870A00309EFDB24DF24CC95FAA7BB5EB58754F104528F956972A0DB70EE90DB50

Function 001AC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001AC182
GetLastError.KERNEL32 ref: 001AC195
SetEvent.KERNEL32(?), ref: 001AC1A9

Part of subcall function 001AC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001AC272
Part of subcall function 001AC253: GetLastError.KERNEL32 ref: 001AC322
Part of subcall function 001AC253: SetEvent.KERNEL32(?), ref: 001AC336
Part of subcall function 001AC253: InternetCloseHandle.WININET(00000000), ref: 001AC341

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 23c102b47d160970b3d930ebeb3d392f081bf7b64929e8a4efaee1f9e5598af2
Instruction ID: 90337d5bd4660075438e8d5ab3d7d437ab2199fb9ad78570916913b604e3e8f4
Opcode Fuzzy Hash: 23c102b47d160970b3d930ebeb3d392f081bf7b64929e8a4efaee1f9e5598af2
Instruction Fuzzy Hash: C3318D79200705EFDB219FA5DD44A66BFF9FF5A300B04441EF95A82A11D731E854DBE0

Function 001925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00193A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00193A57
Part of subcall function 00193A3D: GetCurrentThreadId.KERNEL32 ref: 00193A5E
Part of subcall function 00193A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001925B3), ref: 00193A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00192601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00192605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0019260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00192623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00192627

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1370fa072c67e4a1c4dbf71ea30a4e687275bac09142b2384bdc84eef490073c
Instruction ID: 23e74f6c499511ff1bca724b47bf7c0ef02db5c0631b678e6e2faba89fc8bd60
Opcode Fuzzy Hash: 1370fa072c67e4a1c4dbf71ea30a4e687275bac09142b2384bdc84eef490073c
Instruction Fuzzy Hash: 6A01FC30790210BBFB106769DC8AF993F59DF5EB11F110001F318AF1D1C9F15884CAA9

Function 00191803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00191449,?,?,00000000), ref: 0019180C
HeapAlloc.KERNEL32(00000000,?,00191449,?,?,00000000), ref: 00191813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00191449,?,?,00000000), ref: 00191828
GetCurrentProcess.KERNEL32(?,00000000,?,00191449,?,?,00000000), ref: 00191830
DuplicateHandle.KERNEL32(00000000,?,00191449,?,?,00000000), ref: 00191833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00191449,?,?,00000000), ref: 00191843
GetCurrentProcess.KERNEL32(00191449,00000000,?,00191449,?,?,00000000), ref: 0019184B
DuplicateHandle.KERNEL32(00000000,?,00191449,?,?,00000000), ref: 0019184E
CreateThread.KERNEL32(00000000,00000000,00191874,00000000,00000000,00000000), ref: 00191868

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0df9d1c0b4fa920a58499fc2952e92f727aa2b81d2603fdab5bf4c10ce850704
Instruction ID: 4931965ff389f883932992b5b0cd8803c30875743bf95f15b846770f294a0106
Opcode Fuzzy Hash: 0df9d1c0b4fa920a58499fc2952e92f727aa2b81d2603fdab5bf4c10ce850704
Instruction Fuzzy Hash: BE01A8B5240348FFE610ABA6DC49F6B3BACEB89B11F044411FA09DB5A1CA74DC408B60

Function 001BA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0019D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0019D501
Part of subcall function 0019D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0019D50F
Part of subcall function 0019D4DC: CloseHandle.KERNELBASE(00000000), ref: 0019D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001BA16D
GetLastError.KERNEL32 ref: 001BA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001BA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 001BA268
GetLastError.KERNEL32(00000000), ref: 001BA273
CloseHandle.KERNEL32(00000000), ref: 001BA2C4

Strings

SeDebugPrivilege, xrefs: 001BA18F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d7173aec59664ad15a1f99327ebfffdbc052e4e31066474e7d49f8cbf248987b
Instruction ID: 0bb4cd0689b30857581ef389955a37ee0094ba5fe384c75c7d06be8b0901db6c
Opcode Fuzzy Hash: d7173aec59664ad15a1f99327ebfffdbc052e4e31066474e7d49f8cbf248987b
Instruction Fuzzy Hash: 1F61B030204242AFE724DF19C494F55BBE5AF54318F58849CE46A8BBA3C772EC85CBD2

Function 001C3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001C3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001C393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001C3954
_wcslen.LIBCMT ref: 001C3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001C39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001C39F4

Strings

SysListView32, xrefs: 001C38F7

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: fa93ef2683653343a9f65c92e3a52f09023d7ced7d817ced93f0716876f362dd
Instruction ID: 0e225eb5b63c34abaf57bf3ea3c1e8d45044a442202f81f34d50ecd3d27c82e5
Opcode Fuzzy Hash: fa93ef2683653343a9f65c92e3a52f09023d7ced7d817ced93f0716876f362dd
Instruction Fuzzy Hash: DC41C671A00318ABEF219F64CC49FEA7BA9EF18354F10452AF958E7281D771DE90CB90

Function 0019BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0019BCFD
IsMenu.USER32(00000000), ref: 0019BD1D
CreatePopupMenu.USER32 ref: 0019BD53
GetMenuItemCount.USER32(011E50C8), ref: 0019BDA4
InsertMenuItemW.USER32(011E50C8,?,00000001,00000030), ref: 0019BDCC

Strings

0, xrefs: 0019BCA8
2, xrefs: 0019BD37

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 43ceb2b40370df6f90bab63f5d46da21d155009e441ed18054b293fee78cbae8
Instruction ID: 6ff836934c15fc7bcf2aa6766cf431ab5d6f0d5bceaa6fd0a0d05cf228faf1d7
Opcode Fuzzy Hash: 43ceb2b40370df6f90bab63f5d46da21d155009e441ed18054b293fee78cbae8
Instruction Fuzzy Hash: 5D51BF70A08209DBDF10CFE8EAC8BAEBBF4BF55318F144259E455E7290D770A941CBA1

Function 0019C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0019C913

Strings

info, xrefs: 0019C8B4
question, xrefs: 0019C8CC
blank, xrefs: 0019C895
warning, xrefs: 0019C8FC
stop, xrefs: 0019C8E4

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d258cad814615455f9a92e763b8ed1b5a34861c6bdbf1c558e6277ca282c7431
Instruction ID: 8c270ac4150c67f15b2e24fb3bb448a800618197d13097dcb7ed0f08b3c9d08a
Opcode Fuzzy Hash: d258cad814615455f9a92e763b8ed1b5a34861c6bdbf1c558e6277ca282c7431
Instruction Fuzzy Hash: A5110D3168930ABBEF05AB54DC83CAE779CDF1535DB20002EF945A6182D7709D4053E4

Function 0019DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0019DE42
gethostname.WSOCK32(?,00000100), ref: 0019DE5C
gethostbyname.WSOCK32(?), ref: 0019DE69
inet_ntoa.WSOCK32(?), ref: 0019DEAB
_strcat.LIBCMT ref: 0019DEB9
WSACleanup.WSOCK32 ref: 0019DEDE

Strings

0.0.0.0, xrefs: 0019DE87

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: adbe9389474885b647c204c6acb2714afcc1c98cd7eede0e39871a4a45ff5a16
Instruction ID: 3dce119ba7415aba8bc49e3ea7f670531f5fe2877f13d05c1b920c1caefa30db
Opcode Fuzzy Hash: adbe9389474885b647c204c6acb2714afcc1c98cd7eede0e39871a4a45ff5a16
Instruction Fuzzy Hash: 78113671800205EFDF20AB60EC0AEEF37ACDF24315F0101A9F419AA091EF70CEC18AA0

Function 0019ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0019ED2A
_wcslen.LIBCMT ref: 0019ED3B
_wcslen.LIBCMT ref: 0019ED79
_wcslen.LIBCMT ref: 0019EDAF
_wcslen.LIBCMT ref: 0019EDDF
_wcslen.LIBCMT ref: 0019EDEF
_wcslen.LIBCMT ref: 0019EE2B
_wcslen.LIBCMT ref: 0019EE5A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 8c52fe27d977e26c7012664bb883dd29cdeb22450e08393fd111da5667ded682
Instruction ID: b2735a7805c1b4e5c7829e470cffff868795079551b703641f5fa44b94863f0b
Opcode Fuzzy Hash: 8c52fe27d977e26c7012664bb883dd29cdeb22450e08393fd111da5667ded682
Instruction Fuzzy Hash: F841B565C10118B6CB11EBF4C88A9DFB7B8EF55311F508466E924E7121FB34E249C3E6

Function 0014F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0018682C,00000004,00000000,00000000), ref: 0014F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0018682C,00000004,00000000,00000000), ref: 0018F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0018682C,00000004,00000000,00000000), ref: 0018F454

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e404052c3d79ec9ee43c2e103e01eea6aa6967ced3e8f2dc5810c4a8db9e90b5
Instruction ID: 28c5aa73a27d3b1d5b957411ac682d6101d9ab623b9e7493a4e27f68a66e099a
Opcode Fuzzy Hash: e404052c3d79ec9ee43c2e103e01eea6aa6967ced3e8f2dc5810c4a8db9e90b5
Instruction Fuzzy Hash: D241E631608780FAD7399F29C988B2A7B92AB56318F15443DF48B56B71C732A983CB51

Function 001C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001C2D1B
GetDC.USER32(00000000), ref: 001C2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001C2D2E
ReleaseDC.USER32(00000000,00000000), ref: 001C2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001C2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001C2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001C5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001C2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001C2DE1

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 041341bb5bc2aea3c6a9e847085fcacade6ce73ffd37e6bca9eef4244a7e9f20
Instruction ID: ca380ffb4c673c486810c3deec9207f9b5ce064139f250abe8ba12cabddf4e74
Opcode Fuzzy Hash: 041341bb5bc2aea3c6a9e847085fcacade6ce73ffd37e6bca9eef4244a7e9f20
Instruction Fuzzy Hash: AC318972201224BFEB218F508C8AFFB3FA9EB19711F084055FE099A291C675DC91CBA0

Function 00195622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00195637
_memcmp.LIBVCRUNTIME ref: 00195659
_memcmp.LIBVCRUNTIME ref: 00195671
_memcmp.LIBVCRUNTIME ref: 00195684
_memcmp.LIBVCRUNTIME ref: 0019569E
_memcmp.LIBVCRUNTIME ref: 001956B1
_memcmp.LIBVCRUNTIME ref: 001956C9
_memcmp.LIBVCRUNTIME ref: 001956E4

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 92000f1a73c9aec2bd96692047ccb71e772fcec6a51891f182bb35d713c79dc5
Instruction ID: 38606e7480b5e6cc4a784e0035cd74347e2fce1120c1d88defe7dbc870f840db
Opcode Fuzzy Hash: 92000f1a73c9aec2bd96692047ccb71e772fcec6a51891f182bb35d713c79dc5
Instruction Fuzzy Hash: 3621A761B41A09B7DB1A5E209D92FFA335FBF30795F440028FD04AE581F720EE1583A5

Function 001B4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 001B5007
NULL Pointer assignment, xrefs: 001B502E, 001B5383

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 0bc693fd9821abfaa5a97b8bf4b4fb051968003ea8fee7ab06a4465dcbc526f3
Instruction ID: f76fdf8b6408d32767214c55d2b12ee14414b0c256e1ff89fff0bbe8381dce63
Opcode Fuzzy Hash: 0bc693fd9821abfaa5a97b8bf4b4fb051968003ea8fee7ab06a4465dcbc526f3
Instruction Fuzzy Hash: CCD1B075A0060A9FDF14DFA8C880FEEB7B6BF48344F148069E915AB291E770DD45CBA0

Function 00171522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001715CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00171651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001717FB,?,001717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001716E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001716FB

Part of subcall function 00163820: RtlAllocateHeap.NTDLL(00000000,?,00201444,?,0014FDF5,?,?,0013A976,00000010,00201440,001313FC,?,001313C6,?,00131129), ref: 00163852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00171777
__freea.LIBCMT ref: 001717A2
__freea.LIBCMT ref: 001717AE

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 7e248f9206c49389912c934d6cce0c68fe04b78bce8e8e5d8a0b2d8e7e2e8027
Instruction ID: 08e4932cf5bf5c449a15b991af40796fde7ca9fb67c19c68d0a4463ec3987de0
Opcode Fuzzy Hash: 7e248f9206c49389912c934d6cce0c68fe04b78bce8e8e5d8a0b2d8e7e2e8027
Instruction Fuzzy Hash: E791B472E00216BADB288EBCCC81EEE7BB5AF59710F198659F909E7141D735DD40CBA0

Function 001B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B4648
VariantInit.OLEAUT32(?), ref: 001B4749
VariantClear.OLEAUT32(?), ref: 001B4753
VariantClear.OLEAUT32(?), ref: 001B47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 001B472C
Null Object assignment in FOR..IN loop, xrefs: 001B45D8, 001B4706, 001B47BE

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 845a896c8e3ffe08e813b235b21ab77bf834089d42439843fc8ea61d0a7c4662
Instruction ID: 221a8f1bb6aab8b14351264312d5848eed70e29330fefe7e19201f6f949131a6
Opcode Fuzzy Hash: 845a896c8e3ffe08e813b235b21ab77bf834089d42439843fc8ea61d0a7c4662
Instruction Fuzzy Hash: DB918F71A00219ABDF24CFA5C884FEEBBB8EF46714F10C559F505AB282DB709945CFA0

Function 001A1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001A125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001A1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001A12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001A12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001A135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001A13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001A1430

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 3b7aee944d84fb76c8f8e09ce26990da5ed0a52027f8e985ac747826e4394e64
Instruction ID: 28a0faadf53a02f06b0bc90c67bdf827109093f0d8bfefdc630e42d7a5a975ed
Opcode Fuzzy Hash: 3b7aee944d84fb76c8f8e09ce26990da5ed0a52027f8e985ac747826e4394e64
Instruction Fuzzy Hash: 8B91F479A00208AFDB05DFA8C884BBE77B5FF5A325F214029E941EB291D774E945CB90

Function 0014948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 54238e6aed4a9b8aee6a61b81b924999b8614fb7ebdeb9a75b5ef2f16dfcde98
Instruction ID: 28ebfb47307beb9a4d99119c817148959d7708d6057dd746c146dc5dcb91c4a3
Opcode Fuzzy Hash: 54238e6aed4a9b8aee6a61b81b924999b8614fb7ebdeb9a75b5ef2f16dfcde98
Instruction Fuzzy Hash: 5F911771D00219EFCB14CFA9C884AEEBBB9FF49320F24455AE515B7261D374AA41CF60

Function 001B3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B396B
CharUpperBuffW.USER32(?,?), ref: 001B3A7A
_wcslen.LIBCMT ref: 001B3A8A
VariantClear.OLEAUT32(?), ref: 001B3C1F

Part of subcall function 001A0CDF: VariantInit.OLEAUT32(00000000), ref: 001A0D1F
Part of subcall function 001A0CDF: VariantCopy.OLEAUT32(?,?), ref: 001A0D28
Part of subcall function 001A0CDF: VariantClear.OLEAUT32(?), ref: 001A0D34

Strings

AUTOIT.ERROR, xrefs: 001B3A80, 001B3A85
Incorrect Parameter format, xrefs: 001B39A6, 001B3BA1

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 5a3358f7f7632b4a8ec66075a2b88f43d8e0d7e4a63921c35422a15d0df9230f
Instruction ID: 1d9a31f2cb215244832454d000d3ef1d2d426a8e8a3179653e2cf55a7a1f3d47
Opcode Fuzzy Hash: 5a3358f7f7632b4a8ec66075a2b88f43d8e0d7e4a63921c35422a15d0df9230f
Instruction Fuzzy Hash: E6917C756083059FCB14DF28C5809AABBE4FF99314F14886DF8999B351DB30EE46CB92

Function 001B4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0019000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?,?,0019035E), ref: 0019002B
Part of subcall function 0019000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?), ref: 00190046
Part of subcall function 0019000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?), ref: 00190054
Part of subcall function 0019000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?), ref: 00190064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001B4C51
_wcslen.LIBCMT ref: 001B4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001B4DCF
CoTaskMemFree.OLE32(?), ref: 001B4DDA

Strings

NULL Pointer assignment, xrefs: 001B4E23, 001B4E52

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: d2f1b20a8779ba7730554ae92393977ba3122e616991bc99f15f65e292e67ded
Instruction ID: 90cb661114068dff8ccfe91fa25962639fd0a74bc217ccf1504c2e2c9e54a18d
Opcode Fuzzy Hash: d2f1b20a8779ba7730554ae92393977ba3122e616991bc99f15f65e292e67ded
Instruction Fuzzy Hash: 26911571D0021DAFDF14DFA4D881AEEBBB9BF18314F108169E915AB251EB749E44CFA0

Function 001C20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 001C2183
GetMenuItemCount.USER32(00000000), ref: 001C21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001C21DD
_wcslen.LIBCMT ref: 001C2213
GetMenuItemID.USER32(?,?), ref: 001C224D
GetSubMenu.USER32(?,?), ref: 001C225B

Part of subcall function 00193A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00193A57
Part of subcall function 00193A3D: GetCurrentThreadId.KERNEL32 ref: 00193A5E
Part of subcall function 00193A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001925B3), ref: 00193A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001C22E3

Part of subcall function 0019E97B: Sleep.KERNEL32 ref: 0019E9F3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: cbdd28a15c61a2a28d892bbf3ea01104fdca28f4eb1440a9b0424eb221b64b03
Instruction ID: 02a5d80cb18dd5782ed77b764e3c338388c887c76d29d377b0fb876f41656585
Opcode Fuzzy Hash: cbdd28a15c61a2a28d892bbf3ea01104fdca28f4eb1440a9b0424eb221b64b03
Instruction Fuzzy Hash: D0715B75A00215AFCB14EFA8C845EAEBBF5EF68320F15845DE816EB351DB34ED418B90

Function 001C7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(011E4EC0), ref: 001C7F37
IsWindowEnabled.USER32(011E4EC0), ref: 001C7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 001C801E
SendMessageW.USER32(011E4EC0,000000B0,?,?), ref: 001C8051
IsDlgButtonChecked.USER32(?,?), ref: 001C8089
GetWindowLongW.USER32(011E4EC0,000000EC), ref: 001C80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001C80C3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 810952180bb80132943537096bf4ba4fca9350ffd1f93a3b93da4ccfb16c951e
Instruction ID: 5a7724ca181322b01b2a6732e177a25e8ce95bef1b4e2b1b676547e61eea6e9c
Opcode Fuzzy Hash: 810952180bb80132943537096bf4ba4fca9350ffd1f93a3b93da4ccfb16c951e
Instruction Fuzzy Hash: E9719B34608204AFEB259F64C8D4FAABBB9EF29340F14405DF965972A1CBB1EC54DF60

Function 0019AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0019AEF9
GetKeyboardState.USER32(?), ref: 0019AF0E
SetKeyboardState.USER32(?), ref: 0019AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0019AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0019AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0019AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0019B020

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9ddea42c01dd7842311d7d0e36072ff0b2561b7236c8c8e426b89dcf0c8816b0
Instruction ID: 6d8b1887f772e3103c1e09e88bc277f0de942459d2b6e023fd04b202af39c71b
Opcode Fuzzy Hash: 9ddea42c01dd7842311d7d0e36072ff0b2561b7236c8c8e426b89dcf0c8816b0
Instruction Fuzzy Hash: 9E51A1A0A087D53DFF3642348D89BBABEA95F06304F088589F1D9558C2D399ACC8D791

Function 0019ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0019AD19
GetKeyboardState.USER32(?), ref: 0019AD2E
SetKeyboardState.USER32(?), ref: 0019AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0019ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0019ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0019AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0019AE38

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8f50e7a3d8dc9945a297acef9b7eaedca59afb031c88483223d68f6c43f0dc05
Instruction ID: 17cba1d6b1c6b5c9387ba8859faca71e95ddd72d70988dc349c9de38de3a00bb
Opcode Fuzzy Hash: 8f50e7a3d8dc9945a297acef9b7eaedca59afb031c88483223d68f6c43f0dc05
Instruction Fuzzy Hash: 8F51C5A15487D53DFF3683648C95B7A7EE96F46300F488488E1D9468C2D394EC8CD7D2

Function 0016542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00173CD6,?,?,?,?,?,?,?,?,00165BA3,?,?,00173CD6,?,?), ref: 00165470
__fassign.LIBCMT ref: 001654EB
__fassign.LIBCMT ref: 00165506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00173CD6,00000005,00000000,00000000), ref: 0016552C
WriteFile.KERNEL32(?,00173CD6,00000000,00165BA3,00000000,?,?,?,?,?,?,?,?,?,00165BA3,?), ref: 0016554B
WriteFile.KERNEL32(?,?,00000001,00165BA3,00000000,?,?,?,?,?,?,?,?,?,00165BA3,?), ref: 00165584

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: cf2c8cfa060bf7ceab8fcd8e41c913ce80ff69acad4f0a3372bc9e26c1b4ee0a
Instruction ID: 1dda55ca4b0b3ff028ae170433d6f38d76466610c5005cb34c476a4949aa8307
Opcode Fuzzy Hash: cf2c8cfa060bf7ceab8fcd8e41c913ce80ff69acad4f0a3372bc9e26c1b4ee0a
Instruction Fuzzy Hash: 445193719006499FDB10CFA8DC89AEEBBFAEF09300F14415AF556E7291D730DA51CB60

Function 00152D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00152D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00152D53
_ValidateLocalCookies.LIBCMT ref: 00152DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00152E0C
_ValidateLocalCookies.LIBCMT ref: 00152E61

Strings

csm, xrefs: 00152DF6

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ace5cde2bdea4a4f08e92a26963b2195d01bb09e3ae01c701c4d5ca716710b27
Instruction ID: 2931eb27482330a1a437c2604ac231893b1649ee88501f6d3e88eb3b336a9751
Opcode Fuzzy Hash: ace5cde2bdea4a4f08e92a26963b2195d01bb09e3ae01c701c4d5ca716710b27
Instruction Fuzzy Hash: E441D435A00208EBCF14DFA8C845A9EBBB4BF46326F148155EC346F352D731AA09CBD0

Function 001B10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001B307A
Part of subcall function 001B304E: _wcslen.LIBCMT ref: 001B309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001B1112
WSAGetLastError.WSOCK32 ref: 001B1121
WSAGetLastError.WSOCK32 ref: 001B11C9
closesocket.WSOCK32(00000000), ref: 001B11F9

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 045bb368a11770467c49cbe85ced239722e249153fde7cd5f0cc42b33c6a6da9
Instruction ID: 4ec028d808d57da62ebd9af03397e91c650af0f93c30f46c9d4ff6639e116e95
Opcode Fuzzy Hash: 045bb368a11770467c49cbe85ced239722e249153fde7cd5f0cc42b33c6a6da9
Instruction Fuzzy Hash: C041D235600204AFDB109F28C894BEABBEAEF45364F558059FD19AB291C770ED81CFE1

Function 0019CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0019DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0019CF22,?), ref: 0019DDFD

Part of subcall function 0019DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0019CF22,?), ref: 0019DE16

lstrcmpiW.KERNEL32(?,?), ref: 0019CF45
MoveFileW.KERNEL32(?,?), ref: 0019CF7F
_wcslen.LIBCMT ref: 0019D005
_wcslen.LIBCMT ref: 0019D01B
SHFileOperationW.SHELL32(?), ref: 0019D061

Strings

\*.*, xrefs: 0019CFF3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: cb95cad9830785f7fc2f52a7766038dedcb32cb45440aec9152e013d75f33cf5
Instruction ID: 3150283e917d7324915c3a17dd86ddc067378007a4ce054f6c30158c8612ec6a
Opcode Fuzzy Hash: cb95cad9830785f7fc2f52a7766038dedcb32cb45440aec9152e013d75f33cf5
Instruction Fuzzy Hash: D54137719452189FDF16EFA4D981EDEB7F9AF58380F1000E6E549EB141EB34AB88CB50

Function 001C2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001C2E1C
GetWindowLongW.USER32(?,000000F0), ref: 001C2E4F
GetWindowLongW.USER32(?,000000F0), ref: 001C2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001C2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001C2EE0
GetWindowLongW.USER32(?,000000F0), ref: 001C2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001C2F0B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5ba0272c46e9ed00cbf8705a48311f9245a66e369105ec99cdfea6493d7ffa06
Instruction ID: 9dfb369b1dc125bfd28dfcfcabc5028387dd8ac5b9e587d6070dd7910fab6488
Opcode Fuzzy Hash: 5ba0272c46e9ed00cbf8705a48311f9245a66e369105ec99cdfea6493d7ffa06
Instruction Fuzzy Hash: 1E3105306042589FDB21DF58DD88FA53BE1EB6A710F150168F9049B2B2CB71EC90DB41

Function 00197726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00197769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0019778F
SysAllocString.OLEAUT32(00000000), ref: 00197792
SysAllocString.OLEAUT32(?), ref: 001977B0
SysFreeString.OLEAUT32(?), ref: 001977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001977DE
SysAllocString.OLEAUT32(?), ref: 001977EC

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3155c0922c8863fb317e580a74ed2b2dbd5aef7f944af6de37fe8d4e31c4c4ec
Instruction ID: 8e84051fc3ea768da370bc8b0aff790266b43eb58262aadd61f58756ae21adaa
Opcode Fuzzy Hash: 3155c0922c8863fb317e580a74ed2b2dbd5aef7f944af6de37fe8d4e31c4c4ec
Instruction Fuzzy Hash: 2F218176614219AFDF14DFA9CC88CBB77ACEF097647058425F915DB2A0D770DC8187A0

Function 001977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00197842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00197868
SysAllocString.OLEAUT32(00000000), ref: 0019786B
SysAllocString.OLEAUT32 ref: 0019788C
SysFreeString.OLEAUT32 ref: 00197895
StringFromGUID2.OLE32(?,?,00000028), ref: 001978AF
SysAllocString.OLEAUT32(?), ref: 001978BD

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b550e6bf4c049acdc23735a8c4cf34ca0cd42f04958dfd668de167a760b97b54
Instruction ID: 9c4409d86502027a45358e124e2adad9b63c813e397fb2209726854805992f5d
Opcode Fuzzy Hash: b550e6bf4c049acdc23735a8c4cf34ca0cd42f04958dfd668de167a760b97b54
Instruction Fuzzy Hash: B6217F71A18204AFDF14AFA8DC88DAA77ECFF097607158125F915CB2A1DB70DC81CBA4

Function 001A04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001A04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001A052E

Strings

nul, xrefs: 001A0567

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 88b0de8cb47fb0b10cbbbc9460744b9eaab6de9643e7183a044f61247e37b629
Instruction ID: 978ea216db38a31eca82d1e633ade44c83b58a8570df43cf7756c85073c45b45
Opcode Fuzzy Hash: 88b0de8cb47fb0b10cbbbc9460744b9eaab6de9643e7183a044f61247e37b629
Instruction Fuzzy Hash: B9219C79900305AFDF219F69DC44A9A7BB4BF4A764F204A19F8A1D72E0E770D990CF60

Function 001A05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001A05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001A0601

Strings

nul, xrefs: 001A0639

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 82bf415bc68fe8ea8c3ab6657bdbfd4957f161de30a2a0c559226cf38e8e2969
Instruction ID: e940b2017ef788eecd0ccd17c47c5fcbee49eb6992719f6516da83d402762866
Opcode Fuzzy Hash: 82bf415bc68fe8ea8c3ab6657bdbfd4957f161de30a2a0c559226cf38e8e2969
Instruction Fuzzy Hash: 552162795003059FDB219F69DC04E9A77E4BF9A724F200A19F9A5E72E0E770D9A0CB50

Function 001C40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0013600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0013604C
Part of subcall function 0013600E: GetStockObject.GDI32(00000011), ref: 00136060
Part of subcall function 0013600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0013606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001C4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001C411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001C412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001C4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001C4145

Strings

Msctls_Progress32, xrefs: 001C40E3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 44c7192681ec91b2f061a2810b433556181409f39fa2ad1d18dae8e395ca4c76
Instruction ID: 7c6df3cc7995618a397cce0d1e7e019c59fc53ccb96d35044c21aa8899907a52
Opcode Fuzzy Hash: 44c7192681ec91b2f061a2810b433556181409f39fa2ad1d18dae8e395ca4c76
Instruction Fuzzy Hash: BA1190B2140219BEFF119E64CC86EE77FADEF18798F014111FA18A2190C772DC619BA4

Function 0016D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0016D7A3: _free.LIBCMT ref: 0016D7CC

_free.LIBCMT ref: 0016D82D

Part of subcall function 001629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000), ref: 001629DE
Part of subcall function 001629C8: GetLastError.KERNEL32(00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000,00000000), ref: 001629F0

_free.LIBCMT ref: 0016D838
_free.LIBCMT ref: 0016D843
_free.LIBCMT ref: 0016D897
_free.LIBCMT ref: 0016D8A2
_free.LIBCMT ref: 0016D8AD
_free.LIBCMT ref: 0016D8B8

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 9f551bb3112a99225cdc13694ff4497d669e86bc728428cbdb1ccf6683544b03
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: B7118B71B40B14AADA21BFF0DC07FCB7BDCAF60704F440825F699A7092DB34B5258662

Function 0019DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0019DA74
LoadStringW.USER32(00000000), ref: 0019DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0019DA91
LoadStringW.USER32(00000000), ref: 0019DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0019DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0019DAB9

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 5908fe498d338b8a7e468227026b4cfac185600ab9c5564435bd590188733ece
Instruction ID: 16a6df9df43bc9b091c391275afd1846b880e58b8ab0017c83f6e31c722ee31a
Opcode Fuzzy Hash: 5908fe498d338b8a7e468227026b4cfac185600ab9c5564435bd590188733ece
Instruction Fuzzy Hash: E60162F6900208BFEB10ABA4DD89EE7366CE708301F400495F74AE2441EA74DE848FB4

Function 001A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(011EE308,011EE308), ref: 001A097B
EnterCriticalSection.KERNEL32(011EE2E8,00000000), ref: 001A098D
TerminateThread.KERNEL32(?,000001F6), ref: 001A099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001A09A9
CloseHandle.KERNEL32(?), ref: 001A09B8
InterlockedExchange.KERNEL32(011EE308,000001F6), ref: 001A09C8
LeaveCriticalSection.KERNEL32(011EE2E8), ref: 001A09CF

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a5b41f4904f9650ba54e2bdc5707431c98c98f9e7f6f73e30d9d917bc2686f32
Instruction ID: cdb647b928924e74e5e75cf182321fb25b9e68b1ac79c3908a48bf4a9a4a0910
Opcode Fuzzy Hash: a5b41f4904f9650ba54e2bdc5707431c98c98f9e7f6f73e30d9d917bc2686f32
Instruction Fuzzy Hash: 3EF0C932442A12ABD7525BA4EE89ED6BA29FF05706F442025F20690CA1C775D8A5CFD0

Function 001B1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001B1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001B1DE1
WSAGetLastError.WSOCK32 ref: 001B1DF2
htons.WSOCK32(?,?,?,?,?), ref: 001B1EDB
inet_ntoa.WSOCK32(?), ref: 001B1E8C

Part of subcall function 001939E8: _strlen.LIBCMT ref: 001939F2

Part of subcall function 001B3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,001AEC0C), ref: 001B3240

_strlen.LIBCMT ref: 001B1F35

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 9b1b32b1990a57626664597130f6e4855e5621d90dd0f447d0f42eafc05ddb61
Instruction ID: 513c6a1a4e42ca861d2bcf9c0fdabb1a26b9d9d3b2e36d74352f404fac196532
Opcode Fuzzy Hash: 9b1b32b1990a57626664597130f6e4855e5621d90dd0f447d0f42eafc05ddb61
Instruction Fuzzy Hash: 17B1DE31204300AFC324EF24C8A5E6A7BE5AF94318F95894CF55A5B2E2DB71ED46CB91

Function 00135D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00135D30
GetWindowRect.USER32(?,?), ref: 00135D71
ScreenToClient.USER32(?,?), ref: 00135D99
GetClientRect.USER32(?,?), ref: 00135ED7
GetWindowRect.USER32(?,?), ref: 00135EF8

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 8e04ac5e6611a7ef5f93e94f6cdb95185500235f1f82a6401565fec1f2ef2818
Instruction ID: be0a51a948be547ad5525cc176e06a466297ed278a26f0b2f3fc4de71d6c1099
Opcode Fuzzy Hash: 8e04ac5e6611a7ef5f93e94f6cdb95185500235f1f82a6401565fec1f2ef2818
Instruction Fuzzy Hash: 0FB15839A00B4ADBDB14CFA9C4807EEB7F2FF58310F14851AE8A9D7250DB34AA51DB54

Function 001601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001600D6
__allrem.LIBCMT ref: 001600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0016010B
__allrem.LIBCMT ref: 00160122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00160140

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: a8ca65d04a95fcf7d6c8e76e6104a5eb9e1ccb585c844afaa3beefac8c3b0aac
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 3D815772A00706ABE7259F38CC81B6B73E8AF55364F24453EF861CB6C1E7B0D9558B90

Function 001661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001582D9,001582D9,?,?,?,0016644F,00000001,00000001,8BE85006), ref: 00166258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0016644F,00000001,00000001,8BE85006,?,?,?), ref: 001662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001663D8
__freea.LIBCMT ref: 001663E5

Part of subcall function 00163820: RtlAllocateHeap.NTDLL(00000000,?,00201444,?,0014FDF5,?,?,0013A976,00000010,00201440,001313FC,?,001313C6,?,00131129), ref: 00163852

__freea.LIBCMT ref: 001663EE
__freea.LIBCMT ref: 00166413

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 25ea97ff1ec88ebb47ab01c292ae3e86df270c481124135b1e5c831c6a3af603
Instruction ID: 508d82c21a9f74c119c2999e7c9e543881f0c6a4d1a3c1dc6dc35a9c7c39b1a1
Opcode Fuzzy Hash: 25ea97ff1ec88ebb47ab01c292ae3e86df270c481124135b1e5c831c6a3af603
Instruction Fuzzy Hash: 0F51B172A00216ABEB258F64DC81EBF7BA9FF55750F154629FC09DB240EB34DC60D6A0

Function 001BBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 001BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BB6AE,?,?), ref: 001BC9B5
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BC9F1
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA68
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001BBD25
RegCloseKey.ADVAPI32(00000000), ref: 001BBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001BBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001BBDF3
RegCloseKey.ADVAPI32(?), ref: 001BBDFF

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 0b130fb0c57c6b17171bebe88f40fd65c02f3f4c4296a23501182e52b6b141fc
Instruction ID: 5800c90fb042b0cd30d3f4c06b78da4381c5dca61367245328562e1f598fe96a
Opcode Fuzzy Hash: 0b130fb0c57c6b17171bebe88f40fd65c02f3f4c4296a23501182e52b6b141fc
Instruction Fuzzy Hash: CC81AC30208241AFD714DF64C8D1E6ABBE5FF84308F54895CF4998B6A2DB71ED45CB92

Function 0018F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0018F7B9
SysAllocString.OLEAUT32(00000001), ref: 0018F860
VariantCopy.OLEAUT32(0018FA64,00000000), ref: 0018F889
VariantClear.OLEAUT32(0018FA64), ref: 0018F8AD
VariantCopy.OLEAUT32(0018FA64,00000000), ref: 0018F8B1
VariantClear.OLEAUT32(?), ref: 0018F8BB

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 7419c6d9d67ac7708ba80a87fce86cda0d5efcc99c5cc8fbe206aeede8a4050c
Instruction ID: 3f393023e671d055dd35b557b264b6095dd6d3a5603a1b2d87b1646a9d0baa54
Opcode Fuzzy Hash: 7419c6d9d67ac7708ba80a87fce86cda0d5efcc99c5cc8fbe206aeede8a4050c
Instruction Fuzzy Hash: E651D635A00310BACF14BB65D895B29B3A4EF55314F20846EF905DF291DB708D46CFA6

Function 001A910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00137620: _wcslen.LIBCMT ref: 00137625

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001A94E5
_wcslen.LIBCMT ref: 001A9506
_wcslen.LIBCMT ref: 001A952D
GetSaveFileNameW.COMDLG32(00000058), ref: 001A9585

Strings

X, xrefs: 001A9412

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: b3a17b8455ea5ed15e2b94a1e5f4ec59643e02fe65697329f2a4534886c1679f
Instruction ID: 11fdf6af1235b099d9001dd6093fa9281ac3275eee5cf45f04e56a9e896cab65
Opcode Fuzzy Hash: b3a17b8455ea5ed15e2b94a1e5f4ec59643e02fe65697329f2a4534886c1679f
Instruction Fuzzy Hash: 1DE1AF75908340DFDB24DF24C881B6AB7E0BF95314F04896DF8999B2A2DB31ED45CB92

Function 0014920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

BeginPaint.USER32(?,?,?), ref: 00149241
GetWindowRect.USER32(?,?), ref: 001492A5
ScreenToClient.USER32(?,?), ref: 001492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001492D3
EndPaint.USER32(?,?,?,?,?), ref: 00149321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001871EA

Part of subcall function 00149339: BeginPath.GDI32(00000000), ref: 00149357

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 39b5163af17bd87d4186545a565f1daec40cecd4d45ce61905069f883496d86d
Instruction ID: 5496c414674cc377c418dab2a8c598225a4b66e26e61da32717262168655fc4c
Opcode Fuzzy Hash: 39b5163af17bd87d4186545a565f1daec40cecd4d45ce61905069f883496d86d
Instruction Fuzzy Hash: BB418A70104300AFD721EF24D889FAB7BB8EF56720F140669F994866F2C7719985DB61

Function 001A07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001A080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001A0847
EnterCriticalSection.KERNEL32(?), ref: 001A0863
LeaveCriticalSection.KERNEL32(?), ref: 001A08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001A08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001A0921

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 454e3e59e4dc3d436f5eb85c28324e2d3f09dc6e82e574ad5307a1da5f0d4897
Instruction ID: d5d2840589f02ce09db391e89ffd049f251c757c795a908676c6a5a31ed2d5a7
Opcode Fuzzy Hash: 454e3e59e4dc3d436f5eb85c28324e2d3f09dc6e82e574ad5307a1da5f0d4897
Instruction Fuzzy Hash: 70416B71900205EFDF15DF54DC85AAAB7B8FF09310F1440A9ED04AA2A7D730DE65DBA4

Function 001C81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0018F3AB,00000000,?,?,00000000,?,0018682C,00000004,00000000,00000000), ref: 001C824C
EnableWindow.USER32(?,00000000), ref: 001C8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001C82D1
ShowWindow.USER32(?,00000004), ref: 001C82E5
EnableWindow.USER32(?,00000001), ref: 001C830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001C832F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: c1dcb81ce428d052e2a9e56467a3918a5578e593e27dbee65b4a034603097416
Instruction ID: 483422155ca791d32b23c8f82914ddbe216aae3918cd1b37f91faac4b34a4b9f
Opcode Fuzzy Hash: c1dcb81ce428d052e2a9e56467a3918a5578e593e27dbee65b4a034603097416
Instruction Fuzzy Hash: D6419C30601654AFDB25CF24D8DDFA47BE1FB1A714F1852ADE5084B2A2CB31E851CB50

Function 00194C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00194C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00194CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00194CEA
_wcslen.LIBCMT ref: 00194D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00194D10
_wcsstr.LIBVCRUNTIME ref: 00194D1A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 16f6c9740127827451f7045cf7d63a27518b98dc598961cba3fec178b76d5478
Instruction ID: 589f16deca443b020af4441fca886762fc4c2fa9e9ba771a73609f61c52f7396
Opcode Fuzzy Hash: 16f6c9740127827451f7045cf7d63a27518b98dc598961cba3fec178b76d5478
Instruction Fuzzy Hash: C7212676604210BBEF155B79AD09EBB7FDCDF55750F10802DF809DA2A1EB61CC4282A0

Function 001A581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00133AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00133A97,?,?,00132E7F,?,?,?,00000000), ref: 00133AC2

_wcslen.LIBCMT ref: 001A587B
CoInitialize.OLE32(00000000), ref: 001A5995
CoCreateInstance.OLE32(001CFCF8,00000000,00000001,001CFB68,?), ref: 001A59AE
CoUninitialize.OLE32 ref: 001A59CC

Strings

.lnk, xrefs: 001A5876, 001A58C1, 001A5985

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c58ab410ef520c82ac4a51e4d936740179d22b7b09c4667f54176523ba7b8843
Instruction ID: f71f1e0339078ce810d9c54256418341a350c8233191d53178c67260ab786895
Opcode Fuzzy Hash: c58ab410ef520c82ac4a51e4d936740179d22b7b09c4667f54176523ba7b8843
Instruction Fuzzy Hash: 1CD142796087019FC714DF25C480A2ABBE6FF9A724F14885DF8899B361DB31EC45CB92

Function 0019175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00190FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00190FCA
Part of subcall function 00190FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00190FD6
Part of subcall function 00190FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00190FE5
Part of subcall function 00190FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00190FEC
Part of subcall function 00190FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00191002

GetLengthSid.ADVAPI32(?,00000000,00191335), ref: 001917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001917BA
HeapAlloc.KERNEL32(00000000), ref: 001917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001917DA
GetProcessHeap.KERNEL32(00000000,00000000,00191335), ref: 001917EE
HeapFree.KERNEL32(00000000), ref: 001917F5

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 671bc8fddabcddf3180223ad2eb5a219329ec1b9e587e77c0afa4cb015b93726
Instruction ID: 3d7ff51ab9d2ea21d5c0e389ea21694e9692df611e816886fdc5606537bb3b93
Opcode Fuzzy Hash: 671bc8fddabcddf3180223ad2eb5a219329ec1b9e587e77c0afa4cb015b93726
Instruction Fuzzy Hash: 58116732A00606FFDF189FA5CC49FAE7BA9EB45355F144018F486A7220D736AD84CBA0

Function 001914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00191506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00191515
CloseHandle.KERNEL32(00000004), ref: 00191520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0019154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00191563

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e663e91b712fa846e0e49d82eaa6dc8441587064f571d1b97b1135179571735e
Instruction ID: e9696983a92be3deaa6a8743cb44bf56d2f690411c02aa91e6d2295044f99fef
Opcode Fuzzy Hash: e663e91b712fa846e0e49d82eaa6dc8441587064f571d1b97b1135179571735e
Instruction Fuzzy Hash: 4A11297250424ABBEF118F98ED49FDE7BA9FF49744F054015FA09A2060C375DEA1DBA0

Function 00153382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00153379,00152FE5), ref: 00153390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0015339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001533B7
SetLastError.KERNEL32(00000000,?,00153379,00152FE5), ref: 00153409

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: dfa60e59f5f75d8e8e07494d5c8fbdc4bfac70c90fe86ae927ba965434b9d576
Instruction ID: fcbc232e38d4f4575e2a81422cf1a30e8eafda7cb03a003caa180db6bc38b54c
Opcode Fuzzy Hash: dfa60e59f5f75d8e8e07494d5c8fbdc4bfac70c90fe86ae927ba965434b9d576
Instruction Fuzzy Hash: EB012832609315FEE61927747D859662A54FB153FB320022DFC308F1F0EF214E4EA588

Function 00162D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00165686,00173CD6,?,00000000,?,00165B6A,?,?,?,?,?,0015E6D1,?,001F8A48), ref: 00162D78
_free.LIBCMT ref: 00162DAB
_free.LIBCMT ref: 00162DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0015E6D1,?,001F8A48,00000010,00134F4A,?,?,00000000,00173CD6), ref: 00162DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0015E6D1,?,001F8A48,00000010,00134F4A,?,?,00000000,00173CD6), ref: 00162DEC
_abort.LIBCMT ref: 00162DF2

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 923367e7b90c916be9db53d96dc22e1cb91e18f4fe87316f6d34601a1d2ac5a3
Instruction ID: 7f02305b2995dd46dd577e62831c66a4f622598011ea6de293eecbb6e3091b17
Opcode Fuzzy Hash: 923367e7b90c916be9db53d96dc22e1cb91e18f4fe87316f6d34601a1d2ac5a3
Instruction Fuzzy Hash: A3F0C832A04E1167C31627B4BC16E6E2959BFD27A1F250418F828935D2EF34CC7152A0

Function 001C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00149639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00149693
Part of subcall function 00149639: SelectObject.GDI32(?,00000000), ref: 001496A2
Part of subcall function 00149639: BeginPath.GDI32(?), ref: 001496B9
Part of subcall function 00149639: SelectObject.GDI32(?,00000000), ref: 001496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001C8A4E
LineTo.GDI32(?,00000003,00000000), ref: 001C8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001C8A70
LineTo.GDI32(?,00000000,00000003), ref: 001C8A80
EndPath.GDI32(?), ref: 001C8A90
StrokePath.GDI32(?), ref: 001C8AA0

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a6b800ea71b2739b006c7f3795bc7e5d4fab505e67753eafee7f41237d0fbb40
Instruction ID: 11f4d90d50d129225858704a51188c38f4490a9ee68ef82257aee6c0930add07
Opcode Fuzzy Hash: a6b800ea71b2739b006c7f3795bc7e5d4fab505e67753eafee7f41237d0fbb40
Instruction Fuzzy Hash: 6411097640014CFFDB129F90DC88EAA7F6CEB08350F048016FA599A5A1C771DDA5DFA0

Function 001951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00195218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00195229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00195230
ReleaseDC.USER32(00000000,00000000), ref: 00195238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0019524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00195261

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c073b6fab22101fa6131d7b39c7166a902f6d874db411c2e770e113e152ade50
Instruction ID: 93e9cc74dc08ac7f245b598e25b0c988d75bb2f9ff082b744af7eed4cc50d9c5
Opcode Fuzzy Hash: c073b6fab22101fa6131d7b39c7166a902f6d874db411c2e770e113e152ade50
Instruction Fuzzy Hash: 9F018475A01714BBEF105BA59C49E4EBF78EB44751F044065FA08A7680D670DC00CFA0

Function 00131BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00131BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00131BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00131C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00131C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00131C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00131C22

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2dbc3ff6229ef315ec3fb3ab1def07b09facb07f838e15e170bcd3d12cae3dd1
Instruction ID: 12799852d031e281facfb09609453463f9594cafe5521d6363435752a7c14fa8
Opcode Fuzzy Hash: 2dbc3ff6229ef315ec3fb3ab1def07b09facb07f838e15e170bcd3d12cae3dd1
Instruction Fuzzy Hash: 450148B09027597DE3008F5A8C85A52FEA8FF19354F00411B915C47A41C7B5A864CBE5

Function 0019EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0019EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0019EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0019EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0019EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0019EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0019EB75

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 368b831c0f7b8c1e74a39e4b11c94e7c0bbbfac6b6d9e8d6286d7b4bacd1970c
Instruction ID: 3f8c527cc28e14397bef98be8eb6a685335aa6ec719f89877164470c088a8d3d
Opcode Fuzzy Hash: 368b831c0f7b8c1e74a39e4b11c94e7c0bbbfac6b6d9e8d6286d7b4bacd1970c
Instruction Fuzzy Hash: D7F01772640168BBE7215B629D0EEEB3E7CEBCAB15F000158F605D1591A7A09E41CAF5

Function 00187439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00187452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00187469
GetWindowDC.USER32(?), ref: 00187475
GetPixel.GDI32(00000000,?,?), ref: 00187484
ReleaseDC.USER32(?,00000000), ref: 00187496
GetSysColor.USER32(00000005), ref: 001874B0

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 374fa4dd8945a03f0a8e85c8d875b6f19b78a58cf74d511141b1ef98c39f5c15
Instruction ID: f886cd4b8d9cd17c28a862a88b90b59cbd6b9c6b9b49df8428ecdf29a753f709
Opcode Fuzzy Hash: 374fa4dd8945a03f0a8e85c8d875b6f19b78a58cf74d511141b1ef98c39f5c15
Instruction Fuzzy Hash: FB014B31500215EFDB51AFA4DD08FEABFB5FB04311F650164F919A25A1CB319E92AF90

Function 00191874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0019187F
UnloadUserProfile.USERENV(?,?), ref: 0019188B
CloseHandle.KERNEL32(?), ref: 00191894
CloseHandle.KERNEL32(?), ref: 0019189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001918A5
HeapFree.KERNEL32(00000000), ref: 001918AC

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d5845ec733c959f962b79e4d6b067de1f648e9af749df1707f31ff3432fe0271
Instruction ID: 34d3f0498fc0dd8ef916ce5c39e7a766757a5cd343b86811c04f06d46e151395
Opcode Fuzzy Hash: d5845ec733c959f962b79e4d6b067de1f648e9af749df1707f31ff3432fe0271
Instruction Fuzzy Hash: 91E0E536404601FBDB015FA2ED0CD0ABF39FF49B22B108220F22981870CB32D8A0DF90

Function 0013BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0013BEB3

Strings

D% , xrefs: 0013BE9A
D% D% , xrefs: 0013BCA5
D% , xrefs: 0013BDED, 0013BD91, 0013BD1B
D% , xrefs: 0013BCA2

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D% $D% $D% $D% D%
API String ID: 1385522511-3319970960
Opcode ID: 123b63b3641af14c2add86778e49213d0e8101826c4ecbed34b56f27523b95b1
Instruction ID: 15977a0be8ad75f9e3a99a95985211059234c24ea3bbbb6c8a796772d4931253
Opcode Fuzzy Hash: 123b63b3641af14c2add86778e49213d0e8101826c4ecbed34b56f27523b95b1
Instruction Fuzzy Hash: 7E914A75A0420ACFCB28CF99C4D06A9BBF1FF58314F64816ADA45AB351E731E981CB90

Function 0019C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00137620: _wcslen.LIBCMT ref: 00137625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0019C6EE
_wcslen.LIBCMT ref: 0019C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0019C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0019C7CA

Strings

0, xrefs: 0019C6AF

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 3eb38956487c1d02ea124d08b59e7d91719bd724e2b2c9591a0c7b8aefcbfeee
Instruction ID: f56ba4b97f664ff6dfe827bf3a39d188e12726580f5577d9d151171d00e70242
Opcode Fuzzy Hash: 3eb38956487c1d02ea124d08b59e7d91719bd724e2b2c9591a0c7b8aefcbfeee
Instruction Fuzzy Hash: 4D51BE726143419BDB189F68C885B6BB7E8AF59314F040A2DF9D5D32E1DB70D904CBD2

Function 001BAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 001BAEA3

Part of subcall function 00137620: _wcslen.LIBCMT ref: 00137625

GetProcessId.KERNEL32(00000000), ref: 001BAF38
CloseHandle.KERNEL32(00000000), ref: 001BAF67

Strings

<, xrefs: 001BAE6B
@, xrefs: 001BAE72

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: d7a553093e3871dd762e2ef48458a67511cdd158f6e369c2d3d612a385a0cc7a
Instruction ID: 2f10ccedb49ed9c62725257f7357d0f816dd63e8d452d23a47ee56ec18e99fe3
Opcode Fuzzy Hash: d7a553093e3871dd762e2ef48458a67511cdd158f6e369c2d3d612a385a0cc7a
Instruction Fuzzy Hash: C6717975A00619DFCB14DFA8D494A9EBBF0FF08310F448499E856AB3A2CB74ED45CB91

Function 0019719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00197206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0019723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0019724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001972CF

Strings

DllGetClassObject, xrefs: 00197242

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: dae852afae1b3c0c68eadfb07a779810bbcea2317c4b725571b81eabe826e776
Instruction ID: aa682de06ec362983361a161bb87098997514bb9e11af98a727e4e3ff9133181
Opcode Fuzzy Hash: dae852afae1b3c0c68eadfb07a779810bbcea2317c4b725571b81eabe826e776
Instruction Fuzzy Hash: F5416E71A24204EFDF15CF54C885A9A7BA9EF44710F2580ADBD099F28AD7B0DD45CBA0

Function 001C3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001C3E35
IsMenu.USER32(?), ref: 001C3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001C3E92
DrawMenuBar.USER32 ref: 001C3EA5

Strings

0, xrefs: 001C3D89

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: cbaf8f1745c3048f30b3c51c0d70255edfa46ca03d0fdf695aa0b2a6be3f59a0
Instruction ID: 6f694e18022d92e8e41953fac44ff4318f9fd3528185b2dd6445cb02755bbbdc
Opcode Fuzzy Hash: cbaf8f1745c3048f30b3c51c0d70255edfa46ca03d0fdf695aa0b2a6be3f59a0
Instruction Fuzzy Hash: EA414675A00209AFDB10DF50E884EAABBB9FF59354F04812DE925AB250D730EE55CFA0

Function 00191DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 00193CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00193CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00191E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00191E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00191EA9

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

Strings

ComboBox, xrefs: 00191DF0
ListBox, xrefs: 00191E25

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 59d1888a4eecc601049beddcf0475f80c65923844c11984af600a93878b3a614
Instruction ID: 6e111f49f57c471c8e995bfa118ce3f6cc104e05b517b806e56e3e3ab22fbeb1
Opcode Fuzzy Hash: 59d1888a4eecc601049beddcf0475f80c65923844c11984af600a93878b3a614
Instruction Fuzzy Hash: D6216671A00108BFDF19ABA4DC4ACFFBBB9DF61350F104119F825A72E0DB744D4A8A20

Function 001C2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001C2F8D
LoadLibraryW.KERNEL32(?), ref: 001C2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001C2FA9
DestroyWindow.USER32(?), ref: 001C2FB1

Strings

SysAnimate32, xrefs: 001C2F68

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 7fe529b8ca710fbc7ba7147210a04ee9313af4a34abac84b43267db0fb0cb84e
Instruction ID: b64ff71e7d87a5026b6f48ca24b80406e04fe484c4826edc08748565650609ae
Opcode Fuzzy Hash: 7fe529b8ca710fbc7ba7147210a04ee9313af4a34abac84b43267db0fb0cb84e
Instruction Fuzzy Hash: 5B21CA72200209ABEB218FA4DC80FBB77BDEB69364F10462CFA50D31A0D771DC9197A0

Function 00154D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00154D1E,001628E9,?,00154CBE,001628E9,001F88B8,0000000C,00154E15,001628E9,00000002), ref: 00154D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00154DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00154D1E,001628E9,?,00154CBE,001628E9,001F88B8,0000000C,00154E15,001628E9,00000002,00000000), ref: 00154DC3

Strings

CorExitProcess, xrefs: 00154D98
mscoree.dll, xrefs: 00154D86

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 190222d0373d4728e245f05ec44ad6c59a90b29513309253be1dad503598da54
Instruction ID: 25109bed9fc2e6ae43be92e89aaa3d7408eac001ce9fc1fe55c0c0c3b8ee43ba
Opcode Fuzzy Hash: 190222d0373d4728e245f05ec44ad6c59a90b29513309253be1dad503598da54
Instruction Fuzzy Hash: 59F03C35A40208EBDB119B95DC49BEEBFB5EF58756F0400A9FC09A6660CB309E84DAD0

Function 0018D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0018D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0018D3BF
FreeLibrary.KERNEL32(00000000), ref: 0018D3E5

Strings

X64, xrefs: 0018D2A8
GetSystemWow64DirectoryW, xrefs: 0018D3B9

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 0cb07e0200b3d39eb00dea83cde4a39a0fb31a15e96f163d796346936d028aca
Instruction ID: 32ad240ee1da44b5d9fa3f7b99893fb32422378bff5190dec437d5e3979fc11a
Opcode Fuzzy Hash: 0cb07e0200b3d39eb00dea83cde4a39a0fb31a15e96f163d796346936d028aca
Instruction Fuzzy Hash: 07F05571805721EBD7353711BC08DA9B711BF10B01B5A8158F80AF20D1CB20CF808FC2

Function 00134E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00134EDD,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00134EAE
FreeLibrary.KERNEL32(00000000,?,?,00134EDD,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00134EA8
kernel32.dll, xrefs: 00134E94

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ef572c3d9f89a8137c9c73ca96dd992958d78b3856000cd77e3028a2e0ee2400
Instruction ID: 6da6e2b8ac8a9d3f8059799be8a64a4d1b1793b3bc77ad7d202737364e7954c4
Opcode Fuzzy Hash: ef572c3d9f89a8137c9c73ca96dd992958d78b3856000cd77e3028a2e0ee2400
Instruction Fuzzy Hash: 91E0CD35E015229BD23117266C19F6F6954AFC1F62F0D0125FD08D2110DB64DD4284F4

Function 00134E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00173CDE,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00134E74
FreeLibrary.KERNEL32(00000000,?,?,00173CDE,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134E87

Strings

kernel32.dll, xrefs: 00134E5B
Wow64RevertWow64FsRedirection, xrefs: 00134E6E

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 2b23447a3f7619e61bd8095539c195eb767fa74977a9550410b6e1c01d67fdf5
Instruction ID: b74e493a3da5bc5c5a20f2e42bc173c39e48f5db59f5ffeefeda5b3e08b99b93
Opcode Fuzzy Hash: 2b23447a3f7619e61bd8095539c195eb767fa74977a9550410b6e1c01d67fdf5
Instruction Fuzzy Hash: 64D05B3690263197E6321B66BC1DEDF6E18AF85F517090535F909E2114CF64DD42C5D0

Function 001A2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001A2C05
DeleteFileW.KERNEL32(?), ref: 001A2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001A2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001A2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001A2CC0

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 3ec189ab21ce6e7c8f589bf50487839226ba0bf5b44e783c7a57bc1cbf2d8e4e
Instruction ID: 082b82e1e57e3d6ccaaf5bb87387102a9321dbb25e66f555237b421f54af5c68
Opcode Fuzzy Hash: 3ec189ab21ce6e7c8f589bf50487839226ba0bf5b44e783c7a57bc1cbf2d8e4e
Instruction Fuzzy Hash: B4B16C75900119ABDF25DBA8CC85EDEBBBDEF59310F1040A6FA09E6141EB319A488B61

Function 001BA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 001BA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001BA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 001BA468
CloseHandle.KERNEL32(?), ref: 001BA63D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 33ad341bd41cf3db24dfc990c0500c1a78f4111bb28e01493c93d0eee5a053b2
Instruction ID: f6c9652394cb4102603e615982b1682befd2025234f25223c9b94ff573ee2545
Opcode Fuzzy Hash: 33ad341bd41cf3db24dfc990c0500c1a78f4111bb28e01493c93d0eee5a053b2
Instruction Fuzzy Hash: 57A1A371604300AFE720DF28D886F6AB7E5AF94714F54881DF69A9B2D2D770EC41CB92

Function 0016BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001D3700), ref: 0016BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0020121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0016BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00201270,000000FF,?,0000003F,00000000,?), ref: 0016BC36
_free.LIBCMT ref: 0016BB7F

Part of subcall function 001629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000), ref: 001629DE
Part of subcall function 001629C8: GetLastError.KERNEL32(00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000,00000000), ref: 001629F0

_free.LIBCMT ref: 0016BD4B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: cddea731753d4234425336ac0c172571e7b69283368b7e2a2085927a10577599
Instruction ID: 3e982c6faa02e152f6de2f217da3283d9c34429e132e6967d4b5df7ab9c78326
Opcode Fuzzy Hash: cddea731753d4234425336ac0c172571e7b69283368b7e2a2085927a10577599
Instruction Fuzzy Hash: CB51E471908219EFCB14EF699CC59BEB7B8FF50350B10426AE554D7292EB309EA18B90

Function 0019E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0019DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0019CF22,?), ref: 0019DDFD

Part of subcall function 0019DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0019CF22,?), ref: 0019DE16

Part of subcall function 0019E199: GetFileAttributesW.KERNEL32(?,0019CF95), ref: 0019E19A

lstrcmpiW.KERNEL32(?,?), ref: 0019E473
MoveFileW.KERNEL32(?,?), ref: 0019E4AC
_wcslen.LIBCMT ref: 0019E5EB
_wcslen.LIBCMT ref: 0019E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0019E650

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 998614e8a3a7b23036d9adeed5f7f8d759c1e8453f4b03f7b958600fb1f9adce
Instruction ID: 7a85c2b05355dda61d777fd2fbff3be8ce7325c4159711d54556543ce8a529d6
Opcode Fuzzy Hash: 998614e8a3a7b23036d9adeed5f7f8d759c1e8453f4b03f7b958600fb1f9adce
Instruction Fuzzy Hash: 895152B24083459BCB24DB94D8819DFB7ECAF94344F00492EF589D7191EF74A68CC766

Function 001BB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 001BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BB6AE,?,?), ref: 001BC9B5
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BC9F1
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA68
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001BBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001BBB63
RegCloseKey.ADVAPI32(?,?), ref: 001BBBA6
RegCloseKey.ADVAPI32(00000000), ref: 001BBBB3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 6c8f23be2182029f4c2a8239ef22fc9d3f0d4321d5f5c3927c8d0511f2fc7902
Instruction ID: 44f85948bf94aa44e78dfe12a3a9a641e21ad242bd3a5d51ff0f203f70bcab5f
Opcode Fuzzy Hash: 6c8f23be2182029f4c2a8239ef22fc9d3f0d4321d5f5c3927c8d0511f2fc7902
Instruction Fuzzy Hash: 49618D31208241AFD714DF24C8D0E6ABBE5FF84318F54899CF4998B6A2DB71ED45CB92

Function 00198BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00198BCD
VariantClear.OLEAUT32 ref: 00198C3E
VariantClear.OLEAUT32 ref: 00198C9D
VariantClear.OLEAUT32(?), ref: 00198D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00198D3B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 684dfc4294c22415b660b9b8abc85c5be9f5fb90353d5eb7a90d656566df33f3
Instruction ID: 876939991c957688b1416d7bc6cb1689bb1a3c86e666d72e98db276fc6938f96
Opcode Fuzzy Hash: 684dfc4294c22415b660b9b8abc85c5be9f5fb90353d5eb7a90d656566df33f3
Instruction Fuzzy Hash: 745148B5A00619EFCB14CF68C894EAABBF9FF89314B158559E909DB350E730E911CF90

Function 001A8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001A8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001A8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001A8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001A8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001A8C5F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 3fa9d4e7c20c573efde644981f9db625613c04777cba64cab4870269c6317844
Instruction ID: 8767be3d485b8eafbe770afdd654367a911efedc00afbc94d54426cb448be35b
Opcode Fuzzy Hash: 3fa9d4e7c20c573efde644981f9db625613c04777cba64cab4870269c6317844
Instruction Fuzzy Hash: 2B514B75A00219AFCB15DF65C881EA9BBF5FF49314F088458E849AB3A2DB31ED51CF90

Function 001B8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 001B8F40
GetProcAddress.KERNEL32(00000000,?), ref: 001B8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 001B8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 001B9032
FreeLibrary.KERNEL32(00000000), ref: 001B9052

Part of subcall function 0014F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001A1043,?,75C0E610), ref: 0014F6E6
Part of subcall function 0014F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0018FA64,00000000,00000000,?,?,001A1043,?,75C0E610,?,0018FA64), ref: 0014F70D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: afe538e92780ddc154029916dd5977ccdb85784f3eb4fdca6763f4a9c4aff3fd
Instruction ID: cd7e3e837b75226aaf359a4c2cb6eede59814fde1efbc54b280b348d5b20a1f0
Opcode Fuzzy Hash: afe538e92780ddc154029916dd5977ccdb85784f3eb4fdca6763f4a9c4aff3fd
Instruction Fuzzy Hash: 9D513735604205DFCB15EF58C4949ADBBF5FF59324F0980A8E90A9B362DB31ED86CB90

Function 001C6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 001C6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 001C6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001C6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001AAB79,00000000,00000000), ref: 001C6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001C6CC7

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 1522c26ada53c9d778697a5e0af632f396770b567fb514cc345281df919b3ddc
Instruction ID: 31bab87bc52d795e3a7d480ba6a016239477d7173a9e9fbc29ab3a84bc30c4ae
Opcode Fuzzy Hash: 1522c26ada53c9d778697a5e0af632f396770b567fb514cc345281df919b3ddc
Instruction Fuzzy Hash: A341E335A04114AFDB24CF68CD59FA97FA5EB1A360F15022CF899A73E1C371ED41DA84

Function 00162051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001620C3
_free.LIBCMT ref: 001620E3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8c3373a4423a8a33572ed4e0ed5b0e431dacf0c5db5ece4d71aaa935b23fa092
Instruction ID: 4a2fdfa506ee715bb110b7863ae53dae2937ddff969442bb188ef86bd6142ce5
Opcode Fuzzy Hash: 8c3373a4423a8a33572ed4e0ed5b0e431dacf0c5db5ece4d71aaa935b23fa092
Instruction Fuzzy Hash: 1841F332A006049FCB24DF78CD80A6DB3F5EF99314F164568E915EB351DB31AD11CB80

Function 0014912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00149141
ScreenToClient.USER32(00000000,?), ref: 0014915E
GetAsyncKeyState.USER32(00000001), ref: 00149183
GetAsyncKeyState.USER32(00000002), ref: 0014919D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 06db4360104567a6b9a9b3d6f10103f992724330195adf70da092f9af9c124eb
Instruction ID: d6bb80990398a0dc4e7acb336e5f07e8a7243632bd6038112403d96c709514c5
Opcode Fuzzy Hash: 06db4360104567a6b9a9b3d6f10103f992724330195adf70da092f9af9c124eb
Instruction Fuzzy Hash: C5414271A0851ABBDF19AF64C848BEEB774FB15730F244219E429A72E0C730AE50CF91

Function 001A3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001A38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001A3922
TranslateMessage.USER32(?), ref: 001A394B
DispatchMessageW.USER32(?), ref: 001A3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001A3966

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5101dd0e688beb487c9365add612674a0e4c6d6bd1708a6c65e419da697cfe2b
Instruction ID: 8087f25178e7a0765141a1788712c35aa0f263683f3e0b454940f875acaa5137
Opcode Fuzzy Hash: 5101dd0e688beb487c9365add612674a0e4c6d6bd1708a6c65e419da697cfe2b
Instruction Fuzzy Hash: 7A3182789043419FEB29CB74A84CBB73BA8EB17308F04456DF476825A1E7B49A89CB51

Function 001ACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,001AC21E,00000000), ref: 001ACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 001ACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,001AC21E,00000000), ref: 001ACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,001AC21E,00000000), ref: 001ACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,001AC21E,00000000), ref: 001ACFF2

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: b59499a74a0ad45b0079fa60df7f86fc4bf10ae9dc086040b0c33d84f24d7986
Instruction ID: d2ac102751d4d7bd3618e15f67eeac72793ebe1ecc724167fb1efca99b8fb5e9
Opcode Fuzzy Hash: b59499a74a0ad45b0079fa60df7f86fc4bf10ae9dc086040b0c33d84f24d7986
Instruction Fuzzy Hash: 39318EB5900205EFDB24DFA5C884EABBBF9EB15310B10442EF51AD2610DB30EE41DBE0

Function 00191901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00191915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001919E2

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 9845b9e41a7aacbc3d95a5116266736d16f60be599944456f827dfc9a16a1d9a
Instruction ID: b077e2e89924c8e1884c744871676754d32a221e93e884656b595c6e2b87174b
Opcode Fuzzy Hash: 9845b9e41a7aacbc3d95a5116266736d16f60be599944456f827dfc9a16a1d9a
Instruction Fuzzy Hash: 2231AD72A0021AEFDF04CFA8C999ADE3BB5EB04319F104229F925A72D1C7709D84CB90

Function 001C5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 001C5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 001C579D
_wcslen.LIBCMT ref: 001C57AF
_wcslen.LIBCMT ref: 001C57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 001C5816

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: ef1ef59e09fb0229f742d29b30a0777a8ceb0483b3c4061fddbfc75b02226822
Instruction ID: 860d12b120343748dcae8da93e9f90e6291535a95c648755d193b2e527a73221
Opcode Fuzzy Hash: ef1ef59e09fb0229f742d29b30a0777a8ceb0483b3c4061fddbfc75b02226822
Instruction Fuzzy Hash: A3216471904658DADB209FA0CC45FEE7B79FF24724F10815AE9299A180E770D9C5CF50

Function 001B0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001B0951
GetForegroundWindow.USER32 ref: 001B0968
GetDC.USER32(00000000), ref: 001B09A4
GetPixel.GDI32(00000000,?,00000003), ref: 001B09B0
ReleaseDC.USER32(00000000,00000003), ref: 001B09E8

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 07c93ff8efe058680cac0268ea62feaed8dd3786697ae0fb35035af233f1dc5e
Instruction ID: c29f72bd700d5207f8602bd105c7cdadd99afbb6396151dd559731b60d5f5106
Opcode Fuzzy Hash: 07c93ff8efe058680cac0268ea62feaed8dd3786697ae0fb35035af233f1dc5e
Instruction Fuzzy Hash: AB216F39600214AFD704EF65D984EAEBBE9EF59740F048068F84A97752DB30EC44CB90

Function 0016CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0016CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0016CDE9

Part of subcall function 00163820: RtlAllocateHeap.NTDLL(00000000,?,00201444,?,0014FDF5,?,?,0013A976,00000010,00201440,001313FC,?,001313C6,?,00131129), ref: 00163852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0016CE0F
_free.LIBCMT ref: 0016CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0016CE31

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ea120b7809db1bde4c77326cc62637cd3fbd9164eb9ea7be5443ff110db342a3
Instruction ID: 8f6b0339d6435482bf9ca7082039e177bd23d87bc15b89f2dd5b405224b3e58e
Opcode Fuzzy Hash: ea120b7809db1bde4c77326cc62637cd3fbd9164eb9ea7be5443ff110db342a3
Instruction Fuzzy Hash: 0901D472A022157F232116BA6C88C7F7D7DEFC6BA13154129F949C7200EB66CD2181F0

Function 00149639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00149693
SelectObject.GDI32(?,00000000), ref: 001496A2
BeginPath.GDI32(?), ref: 001496B9
SelectObject.GDI32(?,00000000), ref: 001496E2

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9e749aab29fbbbd2ecd751c09394ff6a1e710e1be7e5b0454d0d44ac0769dc90
Instruction ID: 2b34224b326b9ffc36a17ff1a669407df94f29d698b7ffa574e46eb8864d7e6a
Opcode Fuzzy Hash: 9e749aab29fbbbd2ecd751c09394ff6a1e710e1be7e5b0454d0d44ac0769dc90
Instruction Fuzzy Hash: A0219D70802349EFDB119F25FC0CBAA3BA9BF50325F110216F818A61B2D37098A2CF90

Function 00195711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00195726
_memcmp.LIBVCRUNTIME ref: 00195744
_memcmp.LIBVCRUNTIME ref: 00195757
_memcmp.LIBVCRUNTIME ref: 0019576F
_memcmp.LIBVCRUNTIME ref: 00195787

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6fe48e866ac6d06d871ec9cd0dad9d9ba56b371bb16b4bd10e2f73dd191dea6e
Instruction ID: 99f8490f2e8dfdd4362dd8d91fb4199372a93ecf4ae61db509f110c444007970
Opcode Fuzzy Hash: 6fe48e866ac6d06d871ec9cd0dad9d9ba56b371bb16b4bd10e2f73dd191dea6e
Instruction Fuzzy Hash: 0B01D261241609FADB0E5650AD92FBA735FAB303A5B804028FD04AE242F730EE1583A1

Function 00162DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0015F2DE,00163863,00201444,?,0014FDF5,?,?,0013A976,00000010,00201440,001313FC,?,001313C6), ref: 00162DFD
_free.LIBCMT ref: 00162E32
_free.LIBCMT ref: 00162E59
SetLastError.KERNEL32(00000000,00131129), ref: 00162E66
SetLastError.KERNEL32(00000000,00131129), ref: 00162E6F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 5003686138cb15b9c7094042cb495042b0a4f01e1ff47753702ebd19676c6c50
Instruction ID: f7a88b74ded0d1efa4d5875f85cfac6cec3179dc6257374e951f158a4ee67f54
Opcode Fuzzy Hash: 5003686138cb15b9c7094042cb495042b0a4f01e1ff47753702ebd19676c6c50
Instruction Fuzzy Hash: FB012836645E1067C72667347C45D3B2A5DEBE13B5B260038F425A32D3EF32CC719160

Function 0019000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?,?,0019035E), ref: 0019002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?), ref: 00190046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?), ref: 00190054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?), ref: 00190064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?), ref: 00190070

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: adc95b3a8a14090ddc766940f67628053c3a875f1fc2e1e92c6dddc8473fc189
Instruction ID: 3bbf14a0f209d9f27e2c888f892bd361b6eb6e469df06de63cb73baa9cebdbf0
Opcode Fuzzy Hash: adc95b3a8a14090ddc766940f67628053c3a875f1fc2e1e92c6dddc8473fc189
Instruction Fuzzy Hash: 71014F76600214BFDF128F69DC44FAA7EEDEB48791F184128F909D6210D775DD809BA0

Function 0019E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0019E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0019E9A5
Sleep.KERNEL32(00000000), ref: 0019E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0019E9B7
Sleep.KERNEL32 ref: 0019E9F3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 856cdaf56c87e85fb9588f1d9fc8a30bea17ff8d7c4147b592c35d980aacee3e
Instruction ID: 08e1d9304dfa9dca42d5d14fbe96c55805861fa99bb118f1afbe8d28a760005e
Opcode Fuzzy Hash: 856cdaf56c87e85fb9588f1d9fc8a30bea17ff8d7c4147b592c35d980aacee3e
Instruction Fuzzy Hash: BC012531C01629DBCF00EFE5DC59AEDBBB8FF09705F050956E906B2641CB309A95CBA2

Function 001910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00191114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 00191120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 0019112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 00191136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0019114D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9f194ce8d96218edfc7ba41a4cc4afb13d4edd7f76a8620aa4e0bbad6ebcbeed
Instruction ID: d57a1cf02df8284569b14c031e8cbd81abf3d70e84c880a8c5138974e5fd71df
Opcode Fuzzy Hash: 9f194ce8d96218edfc7ba41a4cc4afb13d4edd7f76a8620aa4e0bbad6ebcbeed
Instruction Fuzzy Hash: C4011979200305BFDB114FA5DC4DE6A3F6EEF893A0B244429FA49D7360DB31DC819AA0

Function 00190FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00190FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00190FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00190FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00190FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00191002

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b3fdbb8cc329e7de414a641bf45f355013c68f74ff83767f4a97e374411d96bf
Instruction ID: 8d0eee58f9bbaa30d8ac35cb28edf67d327139925d866e1e6cd0e1269f5db8fe
Opcode Fuzzy Hash: b3fdbb8cc329e7de414a641bf45f355013c68f74ff83767f4a97e374411d96bf
Instruction Fuzzy Hash: B9F04939200302FBDB214FA5AC49F563FADFF89762F244414FA49C6651CA71DC90CAA0

Function 00191014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0019102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00191036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00191045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0019104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00191062

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 93340f4f0a52c0870bcf1ea85bf1fe171c885c64637b35dfb0a9a36c32ca6473
Instruction ID: e4ad9ff24886e67e0743207653a9241621e9889deaaec8c3009fdfbdb0d29c4c
Opcode Fuzzy Hash: 93340f4f0a52c0870bcf1ea85bf1fe171c885c64637b35dfb0a9a36c32ca6473
Instruction Fuzzy Hash: 1FF04939200302FBDB215FA5EC49F563FADFF897A1F240814FA49C6650CA71DC908AA0

Function 001A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001A017D,?,001A32FC,?,00000001,00172592,?), ref: 001A0324
CloseHandle.KERNEL32(?,?,?,?,001A017D,?,001A32FC,?,00000001,00172592,?), ref: 001A0331
CloseHandle.KERNEL32(?,?,?,?,001A017D,?,001A32FC,?,00000001,00172592,?), ref: 001A033E
CloseHandle.KERNEL32(?,?,?,?,001A017D,?,001A32FC,?,00000001,00172592,?), ref: 001A034B
CloseHandle.KERNEL32(?,?,?,?,001A017D,?,001A32FC,?,00000001,00172592,?), ref: 001A0358
CloseHandle.KERNEL32(?,?,?,?,001A017D,?,001A32FC,?,00000001,00172592,?), ref: 001A0365

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 482657dcaae3de1793c58d1bcdeeb044b9cb4872d0f9b3fdd269562fac3acde2
Instruction ID: 143b506e7a07d579768927e847f0e1766372cec2d475f792725cac03764766c4
Opcode Fuzzy Hash: 482657dcaae3de1793c58d1bcdeeb044b9cb4872d0f9b3fdd269562fac3acde2
Instruction Fuzzy Hash: B701AA7A800B159FCB32AF66D880812FBF9BF653153158A3FD19652931C3B1A998DF80

Function 0016D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0016D752

Part of subcall function 001629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000), ref: 001629DE
Part of subcall function 001629C8: GetLastError.KERNEL32(00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000,00000000), ref: 001629F0

_free.LIBCMT ref: 0016D764
_free.LIBCMT ref: 0016D776
_free.LIBCMT ref: 0016D788
_free.LIBCMT ref: 0016D79A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4f8b99f2bc52e792251f6b6bcb80e8863a44abac0ac964d78779543451084752
Instruction ID: 72e6d69c81c0c827f371c465a2ef623e88f535655af34b9a5cc991c89aa1da3a
Opcode Fuzzy Hash: 4f8b99f2bc52e792251f6b6bcb80e8863a44abac0ac964d78779543451084752
Instruction Fuzzy Hash: 9DF09632B00618AB8625EB64FEC2C2677DDBB44358B950C05F048D7901CB30FCD0C6A1

Function 00195C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00195C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00195C6F
MessageBeep.USER32(00000000), ref: 00195C87
KillTimer.USER32(?,0000040A), ref: 00195CA3
EndDialog.USER32(?,00000001), ref: 00195CBD

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 124ca0b04d2def57b3e4b530de28abbddf322ccd785d7fa2149ee22da0873c3c
Instruction ID: 6459b1681bede6c1347ff049d6a99763a7f76b8bbbd49fdb22775cd9e89e3f94
Opcode Fuzzy Hash: 124ca0b04d2def57b3e4b530de28abbddf322ccd785d7fa2149ee22da0873c3c
Instruction Fuzzy Hash: F6018130500B14ABEF255B50DE4EFA67BBDBB00B05F000559E687B19E1DBF0AD848B91

Function 001622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001622BE

Part of subcall function 001629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000), ref: 001629DE
Part of subcall function 001629C8: GetLastError.KERNEL32(00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000,00000000), ref: 001629F0

_free.LIBCMT ref: 001622D0
_free.LIBCMT ref: 001622E3
_free.LIBCMT ref: 001622F4
_free.LIBCMT ref: 00162305

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 05c606f5ce7ab62ee2f5a14bf5e32b8bcffde26752dbe1713dc701cbc62bda74
Instruction ID: 75c361c6379bfbfeb73c297e3db4da4afbcd35e190f6814c915f1d526edd8b64
Opcode Fuzzy Hash: 05c606f5ce7ab62ee2f5a14bf5e32b8bcffde26752dbe1713dc701cbc62bda74
Instruction Fuzzy Hash: 43F03470A00B358BCB16AFA4BD499183BA4B7287A1B00060AF814D36B3CB300871BFE5

Function 001495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001495D4
StrokeAndFillPath.GDI32(?,?,001871F7,00000000,?,?,?), ref: 001495F0
SelectObject.GDI32(?,00000000), ref: 00149603
DeleteObject.GDI32 ref: 00149616
StrokePath.GDI32(?), ref: 00149631

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 85ddb214fad6338ea54cb9183c0701cbd3f6a67d65073319e9911996c28ac4f3
Instruction ID: ae303f29641754d5f46a71d1802536db77e05679ad3be6e3466ded5d2cdf848a
Opcode Fuzzy Hash: 85ddb214fad6338ea54cb9183c0701cbd3f6a67d65073319e9911996c28ac4f3
Instruction Fuzzy Hash: E2F0E735006348EBDB269F69FD1CB693F65BB05322F148214F469594F2C73089B5DF61

Function 00160F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001610F9
__freea.LIBCMT ref: 00161117

Part of subcall function 00161537: _free.LIBCMT ref: 0016154F

Strings

am/pm, xrefs: 0016117A
a/p, xrefs: 001611DE

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: f01ccdb82a76490489afa00275ae746f59490ed66b3fa1cf9107294d89ebf03b
Instruction ID: f4a7864342e9c56236198be6b5d09cd48d3064384b7cd4905cf1ae6760a270cb
Opcode Fuzzy Hash: f01ccdb82a76490489afa00275ae746f59490ed66b3fa1cf9107294d89ebf03b
Instruction Fuzzy Hash: 66D10131900206EADB289F68CC95BFEB7B1FF16320F2D4159E906AB750D3759DA0CB91

Function 001B61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00150242: EnterCriticalSection.KERNEL32(0020070C,00201884,?,?,0014198B,00202518,?,?,?,001312F9,00000000), ref: 0015024D
Part of subcall function 00150242: LeaveCriticalSection.KERNEL32(0020070C,?,0014198B,00202518,?,?,?,001312F9,00000000), ref: 0015028A

Part of subcall function 001500A3: __onexit.LIBCMT ref: 001500A9

__Init_thread_footer.LIBCMT ref: 001B6238

Part of subcall function 001501F8: EnterCriticalSection.KERNEL32(0020070C,?,?,00148747,00202514), ref: 00150202
Part of subcall function 001501F8: LeaveCriticalSection.KERNEL32(0020070C,?,00148747,00202514), ref: 00150235

Part of subcall function 001A359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001A35E4
Part of subcall function 001A359C: LoadStringW.USER32(00202390,?,00000FFF,?), ref: 001A360A

Strings

x# , xrefs: 001B6353
x# , xrefs: 001B636F
x# , xrefs: 001B633A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x# $x# $x#
API String ID: 1072379062-466273406
Opcode ID: 7dd39f4bcbcc8d6d1c9f9645c051e31447b92048ebfa0ee255310090b28aedde
Instruction ID: fa3917ed0adb1f8e07bc6a61cf4665c6971b643237780d4d5787bfefba057bab
Opcode Fuzzy Hash: 7dd39f4bcbcc8d6d1c9f9645c051e31447b92048ebfa0ee255310090b28aedde
Instruction Fuzzy Hash: 53C18A71A00205ABDB24DF98C894EFEB7B9FF68340F108069F915AB291DB74ED44CB90

Function 001B7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00150242: EnterCriticalSection.KERNEL32(0020070C,00201884,?,?,0014198B,00202518,?,?,?,001312F9,00000000), ref: 0015024D
Part of subcall function 00150242: LeaveCriticalSection.KERNEL32(0020070C,?,0014198B,00202518,?,?,?,001312F9,00000000), ref: 0015028A

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 001500A3: __onexit.LIBCMT ref: 001500A9

__Init_thread_footer.LIBCMT ref: 001B7BFB

Part of subcall function 001501F8: EnterCriticalSection.KERNEL32(0020070C,?,?,00148747,00202514), ref: 00150202
Part of subcall function 001501F8: LeaveCriticalSection.KERNEL32(0020070C,?,00148747,00202514), ref: 00150235

Strings

5, xrefs: 001B7C78
G, xrefs: 001B7C7F
Variable must be of type 'Object'., xrefs: 001B7C3A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 093974c590671a09c09a35665a050f3986c85effa51a5ffe9fb13236cba054d6
Instruction ID: 3fe9baa1245501760c36abd5b38c94b38cda8e5df82024b96edd21b4ca15f92f
Opcode Fuzzy Hash: 093974c590671a09c09a35665a050f3986c85effa51a5ffe9fb13236cba054d6
Instruction Fuzzy Hash: A8918970A04209EFCB14EF94D891DEDBBB2FF99340F508059F806AB292DB71AE45CB51

Function 00192716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0019B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001921D0,?,?,00000034,00000800,?,00000034), ref: 0019B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00192760

Part of subcall function 0019B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0019B3F8

Part of subcall function 0019B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0019B355
Part of subcall function 0019B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00192194,00000034,?,?,00001004,00000000,00000000), ref: 0019B365
Part of subcall function 0019B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00192194,00000034,?,?,00001004,00000000,00000000), ref: 0019B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0019281A

Strings

@, xrefs: 00192832

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9248bfa41328e68f8fb5d86bfe2e92cfa2f52f001d4d0826e76c47c9f57b4c02
Instruction ID: 7e86498db4d94fe8349762261febaff439ef6f0d91f53340f3ba68ed9a30ad45
Opcode Fuzzy Hash: 9248bfa41328e68f8fb5d86bfe2e92cfa2f52f001d4d0826e76c47c9f57b4c02
Instruction Fuzzy Hash: A3411B72900218BFDF10DBA4DD85EEEBBB8AF19700F104095FA55B7181DB706E85CBA1

Function 0016172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00161769
_free.LIBCMT ref: 00161834
_free.LIBCMT ref: 0016183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00161760, 00161767, 00161796, 001617CE

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: 3e48adc34e9d251fdaa105d94930cfc8cf596eb6e2bab3acdd18d02534fa8a23
Instruction ID: dc937318606db34278505e2ed995c6f7c5eb4f3b2950410b89c80df81ef968ba
Opcode Fuzzy Hash: 3e48adc34e9d251fdaa105d94930cfc8cf596eb6e2bab3acdd18d02534fa8a23
Instruction Fuzzy Hash: 54316C71A40218FFDB21DB999C85D9EBBFCEB95310B1841AAF804D7212D7708E61CB90

Function 0019C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0019C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0019C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00201990,011E50C8), ref: 0019C395

Strings

0, xrefs: 0019C2DF

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 9064b5b59bf515a9f668d0b106884503839db621ed3a4cf11cdfe3d00c9a949b
Instruction ID: 487efd82647dbf5ea5b19b22dcd02ad709b08a6a19b9d09214cc5b965cd0f70a
Opcode Fuzzy Hash: 9064b5b59bf515a9f668d0b106884503839db621ed3a4cf11cdfe3d00c9a949b
Instruction Fuzzy Hash: 8341C2716043019FDB24DF29D884F5ABBE4BF99320F008A1DF8A5972D1D770EA04CB92

Function 001C4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001CCC08,00000000,?,?,?,?), ref: 001C44AA
GetWindowLongW.USER32 ref: 001C44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001C44D7

Strings

SysTreeView32, xrefs: 001C447C

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5932c1e93a0175a9cea59dd9df6fdd1ffabc45a67a3c7dccbddb2c7bd6fca735
Instruction ID: 6fe203eeae2f835c4351187943935727f0fcbfa0ff922488fee0e43a68e9d311
Opcode Fuzzy Hash: 5932c1e93a0175a9cea59dd9df6fdd1ffabc45a67a3c7dccbddb2c7bd6fca735
Instruction Fuzzy Hash: 13318B31214605AFDB248E38DC55FEA7BA9EB28334F204719F979922E0D770EC519B90

Function 001B304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001B335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001B3077,?,?), ref: 001B3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001B307A
_wcslen.LIBCMT ref: 001B309B
htons.WSOCK32(00000000,?,?,00000000), ref: 001B3106

Strings

255.255.255.255, xrefs: 001B3095, 001B309A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b193b4fdb4eb2c026d86beee7c3e42126322b2dd021fcc7627b788742c6efd16
Instruction ID: 261674c46be6ea3ea8e5a0da74652b5ea979f323adf9372a841d619eb894db80
Opcode Fuzzy Hash: b193b4fdb4eb2c026d86beee7c3e42126322b2dd021fcc7627b788742c6efd16
Instruction Fuzzy Hash: ED31F3396002059FCB10DF28C885EEA7BE4EF54318F258059E8258B392DB72EE45CB60

Function 001C3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001C3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001C3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 001C3F78

Strings

SysMonthCal32, xrefs: 001C3F0B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 6364063450c593987609df2429abeffd51d20301dad3787021d2aef5247ccab3
Instruction ID: 262d5ce5e911cc71530450bfa91a245f05df24ecd57636bdb55507216936b4f6
Opcode Fuzzy Hash: 6364063450c593987609df2429abeffd51d20301dad3787021d2aef5247ccab3
Instruction Fuzzy Hash: 9F218D32610219BBDF158E50DC46FEA3BB9EB58714F114218FA156B1D0D7B1ED508B90

Function 001C4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001C4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001C4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001C471A

Strings

msctls_updown32, xrefs: 001C4684

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 07020538fce50e86ead01d936ead76eba2fc2a2bb304fbabdcb49d70d9cafb8d
Instruction ID: 3f1a6b26260c598f0d11234a2597cc7a675f2038ba060e46d1b81ed133885163
Opcode Fuzzy Hash: 07020538fce50e86ead01d936ead76eba2fc2a2bb304fbabdcb49d70d9cafb8d
Instruction Fuzzy Hash: C6213DB5604209AFDB11DF64DCD5EB737ADEF6A3A4B040059FA049B391CB71EC61CAA0

Function 001995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0019961D

Strings

#notrayicon, xrefs: 001995B7
#requireadmin, xrefs: 001995D9
#OnAutoItStartRegister, xrefs: 001995F3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f7075fd83ec8c2a6607553e1a61ba9d4db8c3d97385d1a786e70ccb042fec630
Instruction ID: 488b40a03dc16cb6e7be0d34f793d87f9c0ea04a7aacd7bbdced3e15eea6d3bc
Opcode Fuzzy Hash: f7075fd83ec8c2a6607553e1a61ba9d4db8c3d97385d1a786e70ccb042fec630
Instruction Fuzzy Hash: C3212B72104511A6EB31AB2C9C03FB773E8DF75310F15442EF959AB181EB51ED46C2D5

Function 001C37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001C3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001C3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001C3876

Strings

Listbox, xrefs: 001C380F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a3d9d501795ac2203cd28997c89ad764310e74ad8949d4779825fdcd1c010be7
Instruction ID: 8b09563100891ef2ba196664cca61f73e83b07e333e9696ec7b3a258c74cef63
Opcode Fuzzy Hash: a3d9d501795ac2203cd28997c89ad764310e74ad8949d4779825fdcd1c010be7
Instruction Fuzzy Hash: F8218E72610218BBEB219F54DC85FBB3B6EEFA9750F118128F9149B190C771DC528BA0

Function 001A49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001A4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001A4A5C
SetErrorMode.KERNEL32(00000000,?,?,001CCC08), ref: 001A4AD0

Strings

%lu, xrefs: 001A4A6F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: c2a67374a39a917844f84724ae38284e743a5e4d432906ad1dcd022e1d390ded
Instruction ID: c725e78d06f1cdaf1ab6b682b14c079b763d6d9512597d537329275824da7c11
Opcode Fuzzy Hash: c2a67374a39a917844f84724ae38284e743a5e4d432906ad1dcd022e1d390ded
Instruction Fuzzy Hash: 44316275A00109AFDB10DF54C885EAA7BF8EF49308F1480A9F909DB352D771ED45CBA1

Function 001C41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001C424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001C4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001C4271

Strings

msctls_trackbar32, xrefs: 001C4226

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 12be896f9c66860375a0e0b7b60d54dbfce2822695c71f0a8484ca4c5ea1046f
Instruction ID: 45e391f7b804972928be8c85f63f534260f3d0a3fe2e02fdf20d56627ee35cd2
Opcode Fuzzy Hash: 12be896f9c66860375a0e0b7b60d54dbfce2822695c71f0a8484ca4c5ea1046f
Instruction Fuzzy Hash: 0E11E331244248BFEF205E28DC46FAB3BACEFA5B54F010118FA55E2090D371DC619B10

Function 00192F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

Part of subcall function 00192DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00192DC5
Part of subcall function 00192DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00192DD6
Part of subcall function 00192DA7: GetCurrentThreadId.KERNEL32 ref: 00192DDD
Part of subcall function 00192DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00192DE4

GetFocus.USER32 ref: 00192F78

Part of subcall function 00192DEE: GetParent.USER32(00000000), ref: 00192DF9

GetClassNameW.USER32(?,?,00000100), ref: 00192FC3
EnumChildWindows.USER32(?,0019303B), ref: 00192FEB

Strings

%s%d, xrefs: 00192FFF

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 52e9186afcdfb5ffc3f7e11abf642abd7bcb9e057d0a6b5cec6dbaa89a539277
Instruction ID: 1b16a1d2670219448c0d9e666008c4fd12dd891c24d9c7ef5098c42953611d75
Opcode Fuzzy Hash: 52e9186afcdfb5ffc3f7e11abf642abd7bcb9e057d0a6b5cec6dbaa89a539277
Instruction Fuzzy Hash: 50118475700205ABCF147FB49C89EEE77AAAFA4304F048075FA199B252DF7099458B60

Function 001C5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001C58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001C58EE
DrawMenuBar.USER32(?), ref: 001C58FD

Strings

0, xrefs: 001C588F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 58d831e378d46819ba011b295e1577c2804fc4269f86c2fcba5f2710995a016a
Instruction ID: 1a672b2462ce88a7f4bc84d1e9bc2a9bfed5d4e6853c5e26df9a975859565f0b
Opcode Fuzzy Hash: 58d831e378d46819ba011b295e1577c2804fc4269f86c2fcba5f2710995a016a
Instruction Fuzzy Hash: 0D015B31600218EEDB219F11DC44FAEBBB9FB55365F10809DE849D6261DB30DAC5DF61

Function 0019007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25c3bc97ff26d5338200bbfc7daca9b53e789461fa62906861474014d0cd3cd
Instruction ID: a51db7962a44c2621fcd04e1a8903b49fd4dfd4ca45b070536ccdece81b36f5d
Opcode Fuzzy Hash: a25c3bc97ff26d5338200bbfc7daca9b53e789461fa62906861474014d0cd3cd
Instruction Fuzzy Hash: 95C16C75A0021AEFCB15CFA4C894EAEB7B5FF48704F218598E905EB251D731EE81DB90

Function 00163E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00163F0B
__alldvrm.LIBCMT ref: 0016410C
__alldvrm.LIBCMT ref: 0016412E

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: b4298462635d30738c1a4a1b4425e1786059bd877643656104b663c14c74e436
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 39A17572E003969FEB25CF28CC917AEBBF4EF22350F1941ADE5958B282C3349991C750

Function 001B342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001B3459
CoUninitialize.OLE32 ref: 001B3463
VariantInit.OLEAUT32(?), ref: 001B346E
VariantClear.OLEAUT32(?), ref: 001B371B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 6e3d4e827f6ac67aec92eae4bc779b9c853439c1cd04c36f49045a036db32c9d
Instruction ID: 183503f2d9114821c2c3416cf4a2e1e8f0c0236802a282d00e599d2aa0236e88
Opcode Fuzzy Hash: 6e3d4e827f6ac67aec92eae4bc779b9c853439c1cd04c36f49045a036db32c9d
Instruction Fuzzy Hash: 5EA159756043009FCB14DF29C485A6AB7E5FF98724F05885DF99A9B3A2DB30EE01CB91

Function 00190436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001CFC08,?), ref: 001905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001CFC08,?), ref: 00190608
CLSIDFromProgID.OLE32(?,?,00000000,001CCC40,000000FF,?,00000000,00000800,00000000,?,001CFC08,?), ref: 0019062D
_memcmp.LIBVCRUNTIME ref: 0019064E

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 21c23ecb618caf8d3c382a8e24c0a5dd42e50bb0437d193300cf92ca32835997
Instruction ID: 506cfe79fb2edc668800c55b5f17049b473dfd57b12d613bc74d3eb7e62fe16f
Opcode Fuzzy Hash: 21c23ecb618caf8d3c382a8e24c0a5dd42e50bb0437d193300cf92ca32835997
Instruction Fuzzy Hash: 63810871A00109EFCF05DF94C984EEEB7BAFF89315F204558E516AB250DB71AE46CB60

Function 001BA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001BA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 001BA6BA

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Process32NextW.KERNEL32(00000000,?), ref: 001BA79C
CloseHandle.KERNEL32(00000000), ref: 001BA7AB

Part of subcall function 0014CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00173303,?), ref: 0014CE8A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 5ec5700a91cd943e521f9587436928028ec5f53a4b8aefe425bc7c32faed7956
Instruction ID: 5155c45c24caa6cf87155dfbf1727d6438fc6d2ad195cec5178ff6ab049a8fbe
Opcode Fuzzy Hash: 5ec5700a91cd943e521f9587436928028ec5f53a4b8aefe425bc7c32faed7956
Instruction Fuzzy Hash: 93514C71508300AFD710EF25D886E6BBBE8FF99754F40891DF589A7261EB70D904CB92

Function 00171391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001714C0

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 87128a305104df41092ce45ae6926b25d660914b145f04c20646242370e73d8e
Instruction ID: e2e89b52283fcaa2383d5abc10011b56ed8466b496f344a003b71fb8c7640d3a
Opcode Fuzzy Hash: 87128a305104df41092ce45ae6926b25d660914b145f04c20646242370e73d8e
Instruction Fuzzy Hash: EF414C71A00500BBDB256BFD9C46ABE3AB5FF61770F14C629FC2ED7291E73488425261

Function 001C6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001C62E2
ScreenToClient.USER32(?,?), ref: 001C6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001C6382

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0bf1fe91b26a688177bc7f47849417f2f6c73cadbc420f7f84a6b842705d1bc2
Instruction ID: 96107c501075362ec9d650e57aaca6c8031ede94f973f4e05925ad6e0d08b4fd
Opcode Fuzzy Hash: 0bf1fe91b26a688177bc7f47849417f2f6c73cadbc420f7f84a6b842705d1bc2
Instruction Fuzzy Hash: 4B512A74A00249AFCB14DF68D984EAE7BB5FF65360F10816DF8599B291D730ED81CB90

Function 001B1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001B1AFD
WSAGetLastError.WSOCK32 ref: 001B1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001B1B8A
WSAGetLastError.WSOCK32 ref: 001B1B94

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 48395b34f12a0ac25b702a7a50b1da9489b6fd2fe85b2603c1755544a2173317
Instruction ID: 7a72103fcdfa433dcfc4c8ae27c9e0a5b21d6e9f515b4982c8474b3e4dab9428
Opcode Fuzzy Hash: 48395b34f12a0ac25b702a7a50b1da9489b6fd2fe85b2603c1755544a2173317
Instruction Fuzzy Hash: 2441D075600200AFE720AF24C896F6A7BE5AB58718F54C44CFA1A9F7D2D772ED41CB90

Function 0016B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6638d53db1c35816ec89ab16098624d1dbf03059d40f4a67a636731c2c39af2
Instruction ID: 2ec1f30c18869f37a95495731aeb17743edd419c51b1b652e962fc13d25b25aa
Opcode Fuzzy Hash: a6638d53db1c35816ec89ab16098624d1dbf03059d40f4a67a636731c2c39af2
Instruction Fuzzy Hash: A9414972A04314BFD724AF3CCC81BAABBF9EB94710F10852EF556DB281DB7199518780

Function 001A56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001A5783
GetLastError.KERNEL32(?,00000000), ref: 001A57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001A57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001A57FA

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 2e3f36220cc2a48be7d35123d7008876f508b2267bbf4191d4ddfb01f8c091a1
Instruction ID: 981a588154c433190aad92c22e0091b4cd82b4cb4739ba9d05d858931c16ce9e
Opcode Fuzzy Hash: 2e3f36220cc2a48be7d35123d7008876f508b2267bbf4191d4ddfb01f8c091a1
Instruction Fuzzy Hash: 9E413D3A604610DFCB25DF55D444A1EBBE2EF99320F198488E84AAB362CB34FD40CB91

Function 0016D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00156D71,00000000,00000000,001582D9,?,001582D9,?,00000001,00156D71,8BE85006,00000001,001582D9,001582D9), ref: 0016D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0016D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0016D9AB
__freea.LIBCMT ref: 0016D9B4

Part of subcall function 00163820: RtlAllocateHeap.NTDLL(00000000,?,00201444,?,0014FDF5,?,?,0013A976,00000010,00201440,001313FC,?,001313C6,?,00131129), ref: 00163852

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8dda9fd05381fd3b36f5fce9a4abeed250a6b4ba847906aa1362dc985e8b2d97
Instruction ID: 24a408c4e75eedbc2a6b9fd6d55d0a4b31445b4659a7c5e28893e98881b617c2
Opcode Fuzzy Hash: 8dda9fd05381fd3b36f5fce9a4abeed250a6b4ba847906aa1362dc985e8b2d97
Instruction Fuzzy Hash: 8131BE72A0020AABDF259F65EC45EAF7BA5EB41314F054168FC18DB250EB35CDA4CBE0

Function 001C52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 001C5352
GetWindowLongW.USER32(?,000000F0), ref: 001C5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001C5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001C53A8

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e3dc28d1dc036ef82ab067e0ebd3d859302e38afd6abe8a8c606c566f5557c37
Instruction ID: 7a07e4c27b0e7207257a34f2e0fcf473b03306405ba66ef3507b4159a6bcf88c
Opcode Fuzzy Hash: e3dc28d1dc036ef82ab067e0ebd3d859302e38afd6abe8a8c606c566f5557c37
Instruction Fuzzy Hash: 9331A334A55A88AFEB249A54CC05FE87767BB24390F546109FA11962E2C7B0FDC0DB42

Function 0019AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0019ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0019AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0019AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0019ACC6

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5e02638c90658dbe3c4435fa72ba4d066dc2a709b6a27a2a561180b1f34763eb
Instruction ID: 1c774c8346ea54866ed21b5b1145c2d1251fc8a2311807a9637cedb0524cb264
Opcode Fuzzy Hash: 5e02638c90658dbe3c4435fa72ba4d066dc2a709b6a27a2a561180b1f34763eb
Instruction Fuzzy Hash: C3310430A04618AFEF35CB658C04BFA7BB5AF89311F84461AE4859A2D1C375998987D2

Function 001C7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001C769A
GetWindowRect.USER32(?,?), ref: 001C7710
PtInRect.USER32(?,?,001C8B89), ref: 001C7720
MessageBeep.USER32(00000000), ref: 001C778C

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ac37e3e83945972f90537345d519b01f83fcf1103fcbfee201a00efa09f96d65
Instruction ID: 28ea41085c7bf9b2f713740ba75e905ae838d8cd48628349651046c7802f3b06
Opcode Fuzzy Hash: ac37e3e83945972f90537345d519b01f83fcf1103fcbfee201a00efa09f96d65
Instruction Fuzzy Hash: 8B415C346053589FCB11CF68D898FA97BF5BB69314F1541ADE4149B2A1C7B0E941CF90

Function 001C16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001C16EB

Part of subcall function 00193A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00193A57
Part of subcall function 00193A3D: GetCurrentThreadId.KERNEL32 ref: 00193A5E
Part of subcall function 00193A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001925B3), ref: 00193A65

GetCaretPos.USER32(?), ref: 001C16FF
ClientToScreen.USER32(00000000,?), ref: 001C174C
GetForegroundWindow.USER32 ref: 001C1752

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 00ffe8ecd5cca7428e25c1c11207cc7334d494e3e5bb6dda963bee4230f08761
Instruction ID: 8c1750303175a53a22b4fcd034092abe4d3aa01063329b1519d11a55d4c23dfb
Opcode Fuzzy Hash: 00ffe8ecd5cca7428e25c1c11207cc7334d494e3e5bb6dda963bee4230f08761
Instruction Fuzzy Hash: 61312C75900249AFDB04EFA9C881DAEBBF9EF59304B5080A9E415E7212D731DE45CBA0

Function 001C8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

GetCursorPos.USER32(?), ref: 001C9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00187711,?,?,?,?,?), ref: 001C9016
GetCursorPos.USER32(?), ref: 001C905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00187711,?,?,?), ref: 001C9094

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 7bd7bb784af3ed390d4afde50e0e89ef669f61a202cbfac6bcd5009962a0d2ed
Instruction ID: 902ec7c340b32a9459a56d5f2eb9e79ec6a70a53a6e3706f2f571709839ed26a
Opcode Fuzzy Hash: 7bd7bb784af3ed390d4afde50e0e89ef669f61a202cbfac6bcd5009962a0d2ed
Instruction Fuzzy Hash: E6217C35600118EFDB258F94D858FEA7BB9EB89350F144169F9058B2A1C731DDA0DBA0

Function 0019D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,001CCB68), ref: 0019D2FB
GetLastError.KERNEL32 ref: 0019D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0019D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001CCB68), ref: 0019D376

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 604b7358788ff8f0ae163a078b3ea190b89679c36c045c58196320d8860f1112
Instruction ID: b86842f74c8cb49495cc67091ef6387092cda322bbfadc727a764737588bd42a
Opcode Fuzzy Hash: 604b7358788ff8f0ae163a078b3ea190b89679c36c045c58196320d8860f1112
Instruction Fuzzy Hash: F3219FB05082019FCB00DF68E88186ABBE4BF66365F104A1DF499C72A1D730DE46CB93

Function 00191571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00191014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0019102A
Part of subcall function 00191014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00191036
Part of subcall function 00191014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00191045
Part of subcall function 00191014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0019104C
Part of subcall function 00191014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00191062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001915BE
_memcmp.LIBVCRUNTIME ref: 001915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00191617
HeapFree.KERNEL32(00000000), ref: 0019161E

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2320cabf90ef92e2d0564771da8e7b4a1dcd41d5fa417e8f2e8e01e2adb2e6b7
Instruction ID: 93f95c73207b0adea6e61aeac5c1cc9900bd7ea82bd44cc882a3e37aca572062
Opcode Fuzzy Hash: 2320cabf90ef92e2d0564771da8e7b4a1dcd41d5fa417e8f2e8e01e2adb2e6b7
Instruction Fuzzy Hash: 21215532E4010AFBDF00DFA4C945BEEB7B8FF45354F098459E445AB241E770AA85CBA0

Function 001C2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001C280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001C2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001C2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001C2840

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 96ab7de3a75cddf33589fb0cfe8a3f441f5cba2f103934885e5de002011581ea
Instruction ID: 1dcb7f39c1995d2966dc1b60e8a835ed41b056caf1a346ad9baccd95ada0eead
Opcode Fuzzy Hash: 96ab7de3a75cddf33589fb0cfe8a3f441f5cba2f103934885e5de002011581ea
Instruction Fuzzy Hash: E221A135208611AFD7149B24C895FAA7B95AF65324F14815CF42A8BAE2CB71FC82CBD0

Function 001978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00198D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0019790A,?,000000FF,?,00198754,00000000,?,0000001C,?,?), ref: 00198D8C
Part of subcall function 00198D7D: lstrcpyW.KERNEL32(00000000,?,?,0019790A,?,000000FF,?,00198754,00000000,?,0000001C,?,?,00000000), ref: 00198DB2
Part of subcall function 00198D7D: lstrcmpiW.KERNEL32(00000000,?,0019790A,?,000000FF,?,00198754,00000000,?,0000001C,?,?), ref: 00198DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00198754,00000000,?,0000001C,?,?,00000000), ref: 00197923
lstrcpyW.KERNEL32(00000000,?,?,00198754,00000000,?,0000001C,?,?,00000000), ref: 00197949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00198754,00000000,?,0000001C,?,?,00000000), ref: 00197984

Strings

cdecl, xrefs: 0019797B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 167fa6796997d0977de9f090b83e7e594d8ae92014cfb2f8374c4db7607df540
Instruction ID: 65a110971452f55a4a7c56c1d1fb853a66fc93a2c1304d43494e6c6996bd95e2
Opcode Fuzzy Hash: 167fa6796997d0977de9f090b83e7e594d8ae92014cfb2f8374c4db7607df540
Instruction Fuzzy Hash: 1711037A200242AFCF15AF35D844E7A77A9FF95364B10402AF906CB2A4EB31D801C7A1

Function 001C7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 001C7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 001C7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 001C7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001AB7AD,00000000), ref: 001C7D6B

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 613002790568efc25b44cb43ff49ae2f4d38f2121c83f9b655eff54073138ff4
Instruction ID: f1d3c39d749acb9c55403442bfde6e9aa7def9e6517587e89b65d461c4e27974
Opcode Fuzzy Hash: 613002790568efc25b44cb43ff49ae2f4d38f2121c83f9b655eff54073138ff4
Instruction Fuzzy Hash: 35116A32604655AFCB109F68DC08EB63BA5AF45360F158728F83AC72E0D770DD60CB90

Function 001C5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001C56BB
_wcslen.LIBCMT ref: 001C56CD
_wcslen.LIBCMT ref: 001C56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 001C5816

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 6b035d2ad6dbacff6a7b25844b57c65be64ca292c1514e8341b106179ec06ef3
Instruction ID: 14e13cd071e04edc7183f4a0fd5820874156e8a4a95a893e17eff270fa40e5db
Opcode Fuzzy Hash: 6b035d2ad6dbacff6a7b25844b57c65be64ca292c1514e8341b106179ec06ef3
Instruction Fuzzy Hash: 9711B175A0061896DB209FA5CC85FEE7BBCAF31768B10406EF915D6081E770EAC4CB60

Function 00161D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699acae5df3da696a04ebf6164d0dab251e0e7874dccd7db81002f32f50fb128
Instruction ID: 6d778f2f36a6f4d115b768cf53f4c22a9a672b206575f409592f3ea1d217a8e4
Opcode Fuzzy Hash: 699acae5df3da696a04ebf6164d0dab251e0e7874dccd7db81002f32f50fb128
Instruction Fuzzy Hash: 3B01ADB2609A167EF62126B87CC9F77665CDF917B8F390325F521A12D2DB708C605170

Function 00191A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00191A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00191A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00191A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00191A8A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9342070341c078419b904978260440b0318f837852abbc39c4b827bfb2c319f4
Instruction ID: 78f927b01d0b1ee81bf44fe5f7b0dde362ebd23138ee2558cd9a727fa37e8baf
Opcode Fuzzy Hash: 9342070341c078419b904978260440b0318f837852abbc39c4b827bfb2c319f4
Instruction Fuzzy Hash: 4411FA3AD01219FFEF119BA5C985FADBB79EB04750F200091E605B7290D7716E50DB94

Function 0019E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0019E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0019E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0019E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0019E24D

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 32d5325168c3bcdbeee152bc3170a5c5de1e9f0ee6d02439a274155e4d012104
Instruction ID: a6fe775957e9643ae8709a11a868acee292bd77be4bf294f551c30dec31780dc
Opcode Fuzzy Hash: 32d5325168c3bcdbeee152bc3170a5c5de1e9f0ee6d02439a274155e4d012104
Instruction Fuzzy Hash: 7411C476904358BBCB01DBA8EC09E9E7FACEB45720F144255F929E3692D7B0CD148BA0

Function 0015D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0015CFF9,00000000,00000004,00000000), ref: 0015D218
GetLastError.KERNEL32 ref: 0015D224
__dosmaperr.LIBCMT ref: 0015D22B
ResumeThread.KERNEL32(00000000), ref: 0015D249

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 0649637e78bc42a1f636034899038a5cf0302d240be253f2208f069b766a0e6a
Instruction ID: 382beadb9ef7c9972902b6f31ab4ec02560b22edd4e4b90f0dcd46104378039f
Opcode Fuzzy Hash: 0649637e78bc42a1f636034899038a5cf0302d240be253f2208f069b766a0e6a
Instruction Fuzzy Hash: DD01C076805204FBCB215BA6EC09AAA7E69EF91732F100219FD359A1D0DB70C94A87E0

Function 001C9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

GetClientRect.USER32(?,?), ref: 001C9F31
GetCursorPos.USER32(?), ref: 001C9F3B
ScreenToClient.USER32(?,?), ref: 001C9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 001C9F7A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: a359b3f03a8fc86cc69237cffc1ed676047828dda1aa0ebe9be77bc664f2ca85
Instruction ID: 58e547eccb8ddc955a4e6c07b27364dd10909d4a65960fd8fa1999a6a4636337
Opcode Fuzzy Hash: a359b3f03a8fc86cc69237cffc1ed676047828dda1aa0ebe9be77bc664f2ca85
Instruction Fuzzy Hash: C9110332A0021AEBDB10DFA8D889EEE7BB9EB55311F000459F911E7151D730FA91CBA1

Function 0013600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0013604C
GetStockObject.GDI32(00000011), ref: 00136060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0013606A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 6bb72eb30eb0d251de038456b75eaed8958367e4a8b33cc3f3f6350134737906
Instruction ID: f4e2773b235eb03cec01b6d2a93d54c8e4a6065706a8200fb59bc2ac91f8accb
Opcode Fuzzy Hash: 6bb72eb30eb0d251de038456b75eaed8958367e4a8b33cc3f3f6350134737906
Instruction Fuzzy Hash: AC116D72501648BFEF164FA49C45EEABF69EF193A4F044215FA1852110D736DCA0DBA0

Function 00153B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00153B56

Part of subcall function 00153AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00153AD2
Part of subcall function 00153AA3: ___AdjustPointer.LIBCMT ref: 00153AED

_UnwindNestedFrames.LIBCMT ref: 00153B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00153B7C
CallCatchBlock.LIBVCRUNTIME ref: 00153BA4

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: cb815e3f9f775657cd4d808db00ad826daf8fb43deebb212f618a1396f74bceb
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D7012932100148FBDF125E95CC42EEB3B69EF58799F044014FE689B121C732E965EBA0

Function 00163073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001313C6,00000000,00000000,?,0016301A,001313C6,00000000,00000000,00000000,?,0016328B,00000006,FlsSetValue), ref: 001630A5
GetLastError.KERNEL32(?,0016301A,001313C6,00000000,00000000,00000000,?,0016328B,00000006,FlsSetValue,001D2290,FlsSetValue,00000000,00000364,?,00162E46), ref: 001630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0016301A,001313C6,00000000,00000000,00000000,?,0016328B,00000006,FlsSetValue,001D2290,FlsSetValue,00000000), ref: 001630BF

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 628192c17727d6cccbac09918027b2d8a24f79166b4133ab9a088d6b1049b434
Instruction ID: d17ca770896afea03105cfd2c569bb54ec283af87440fc1b017665c66d7c9bbc
Opcode Fuzzy Hash: 628192c17727d6cccbac09918027b2d8a24f79166b4133ab9a088d6b1049b434
Instruction Fuzzy Hash: 5A012B32302322ABCB314B79EC48E577B98EF05BA1B110620F929E3540CB31DD59C6E0

Function 00197464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0019747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00197497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001974CA

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: de2a888a704bab982f31a7169529b7ad0e06d15ee1ded4cc5ee71bb66d31990e
Instruction ID: e323dcdc8e4a254a3fbde73c0cfd963f54e2f22a42ee100c1c63236f1fae27b7
Opcode Fuzzy Hash: de2a888a704bab982f31a7169529b7ad0e06d15ee1ded4cc5ee71bb66d31990e
Instruction Fuzzy Hash: D411ADB1219310ABEB208F14DC09FA27FFCEF00B00F108569E61AD7592D7B0E944DBA0

Function 0019B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0019ACD3,?,00008000), ref: 0019B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0019ACD3,?,00008000), ref: 0019B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0019ACD3,?,00008000), ref: 0019B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0019ACD3,?,00008000), ref: 0019B126

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c93e076c22593e6c919df485d8a328d78ee324d7b9141d91d7b470bea5bb04f6
Instruction ID: b43ae6a331ea2561311e80e59fdaa8f4c66c043b89b5e8d43593bf47d691743d
Opcode Fuzzy Hash: c93e076c22593e6c919df485d8a328d78ee324d7b9141d91d7b470bea5bb04f6
Instruction Fuzzy Hash: 73115E71C0552CD7CF049FE5FAA8AEEBF78FF49711F154095D941B2141CB3099508B91

Function 001C7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001C7E33
ScreenToClient.USER32(?,?), ref: 001C7E4B
ScreenToClient.USER32(?,?), ref: 001C7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001C7E8A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 848e7f99dae7d7c4083063d5963b9f1764b39d788802f8a19a832af585f1c3c6
Instruction ID: a6af221b72bf88d6fef8f3d68f8d2d31ab291226993e1e0d8665b5b72d4a167a
Opcode Fuzzy Hash: 848e7f99dae7d7c4083063d5963b9f1764b39d788802f8a19a832af585f1c3c6
Instruction Fuzzy Hash: 611186B9D0024AAFDB41CF98C884AEEBBF5FF18310F104056E915E3610D735AA94CF90

Function 00192DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00192DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00192DD6
GetCurrentThreadId.KERNEL32 ref: 00192DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00192DE4

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1e491e48f07d3e36fe58431be10929e734dfb7ae244433cd8cdef84429003416
Instruction ID: 002ed3b1d8bba05d6e5fa08c74236b390a11dd313c4de25ee08f4b37884bfe7d
Opcode Fuzzy Hash: 1e491e48f07d3e36fe58431be10929e734dfb7ae244433cd8cdef84429003416
Instruction Fuzzy Hash: 55E06D71501234BADB201BA29C0DEEB3EACEF42BA1F010015F10AD15809AA0C881C6F0

Function 001C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00149639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00149693
Part of subcall function 00149639: SelectObject.GDI32(?,00000000), ref: 001496A2
Part of subcall function 00149639: BeginPath.GDI32(?), ref: 001496B9
Part of subcall function 00149639: SelectObject.GDI32(?,00000000), ref: 001496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001C8887
LineTo.GDI32(?,?,?), ref: 001C8894
EndPath.GDI32(?), ref: 001C88A4
StrokePath.GDI32(?), ref: 001C88B2

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 33e35cf8f7f1bc175520a966dea4d49829e7fdb0ce77a9f51a93672111c052c0
Instruction ID: 4340abd62787f23795a7e9673d89178398c69dc33f462fdb268bea9206495eb9
Opcode Fuzzy Hash: 33e35cf8f7f1bc175520a966dea4d49829e7fdb0ce77a9f51a93672111c052c0
Instruction Fuzzy Hash: 23F0823A041258FBDB125F94AC0DFDE3F59AF16310F048004FA55658E2C7759961CFE5

Function 001498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001498CC
SetTextColor.GDI32(?,?), ref: 001498D6
SetBkMode.GDI32(?,00000001), ref: 001498E9
GetStockObject.GDI32(00000005), ref: 001498F1

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 06db8d2a611ab2226219667eeb05f97882648051b4c4ac0b204216a8099faad5
Instruction ID: bd44502294f91bc8f9d29af9a37c0a158a9c2f690eaeb15220593e78e673d937
Opcode Fuzzy Hash: 06db8d2a611ab2226219667eeb05f97882648051b4c4ac0b204216a8099faad5
Instruction Fuzzy Hash: 11E03931644280AADB215B75AC09BE93F21AB52336F188219F6BA984E1C3718A809F10

Function 0019162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00191634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001911D9), ref: 0019163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001911D9), ref: 00191648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001911D9), ref: 0019164F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: eba84f98e8b3970c1e60b91c0a348f43dfc0212be177c4b0d71c56920abcbb49
Instruction ID: b1e114cfc9b5ac804afd025918980e05d37d8c33314e55ea5746b462069d076f
Opcode Fuzzy Hash: eba84f98e8b3970c1e60b91c0a348f43dfc0212be177c4b0d71c56920abcbb49
Instruction Fuzzy Hash: 8CE04F75A01211ABDB201BA0AD0DF473F68BF54B91F184808F249C9480D774C8C1C790

Function 0018D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0018D858
GetDC.USER32(00000000), ref: 0018D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0018D882
ReleaseDC.USER32(?), ref: 0018D8A3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e76bc89c16cb0c37b3e459bcae16a35547c0a6bdbe04163549586dcf04a5cdb2
Instruction ID: ffb7dcdc5345cc18143f731b416f54d2ee8553e29c59459343dad5546dc6792d
Opcode Fuzzy Hash: e76bc89c16cb0c37b3e459bcae16a35547c0a6bdbe04163549586dcf04a5cdb2
Instruction Fuzzy Hash: 85E01AB4800214DFCF41AFA0D90CA6DBFB5FB08310F158009F84AE7750C7388992AF80

Function 0018D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0018D86C
GetDC.USER32(00000000), ref: 0018D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0018D882
ReleaseDC.USER32(?), ref: 0018D8A3

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d47fe3fad0b07d659eeedf14dd8b6a31852a19c158bc937e3113fcb3e52fb1a9
Instruction ID: d5efd148f8b2b8daa45c7643cd39a6b7211d22544cc70a3b5970253c748b3e9e
Opcode Fuzzy Hash: d47fe3fad0b07d659eeedf14dd8b6a31852a19c158bc937e3113fcb3e52fb1a9
Instruction Fuzzy Hash: 33E012B4800210EFCF40AFA0D90CA6DBFB5BB08310F148008F84AE7760CB389982AF80

Function 001A4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00137620: _wcslen.LIBCMT ref: 00137625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001A4ED4

Strings

LPT, xrefs: 001A4DFB
*, xrefs: 001A4E10

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 25230a2921ff14dc21c08a07f57abaeacd60dc1b8a8de629f73d4f7d31fe6895
Instruction ID: aba6d74a010dcc03acbb8f13e2926981c0eb113f23ad5a96bf4149c276370b81
Opcode Fuzzy Hash: 25230a2921ff14dc21c08a07f57abaeacd60dc1b8a8de629f73d4f7d31fe6895
Instruction Fuzzy Hash: E6917179A00204DFDB14DF58C484EAABBF1BF95304F198099E80A9F3A2D775ED85CB91

Function 0015E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0015E30D

Strings

pow, xrefs: 0015E2E5, 0015E302

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 2c6f43efee231566cdd55ea5f1dec8db10e85c42a747b129b1b549eac5c7c6f9
Instruction ID: e56505df953eed3adeb6ab28b7397abc8d62c1e863d3622c87dc8b170a0f98d7
Opcode Fuzzy Hash: 2c6f43efee231566cdd55ea5f1dec8db10e85c42a747b129b1b549eac5c7c6f9
Instruction Fuzzy Hash: 57519C61E0D202D6CB1D7714CD013797BE4AB20746F304D99E8F68A2E9EB358DEDDA42

Function 0014E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0014E1B1

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ad7ff1a02ad4ac13adb26d08390fb602ccf515422820a5aa78c944fa1c622c31
Instruction ID: 96796c7056163de5f30142ae25a631b7b2179ee3273ee7c21aaadd246dcaaca8
Opcode Fuzzy Hash: ad7ff1a02ad4ac13adb26d08390fb602ccf515422820a5aa78c944fa1c622c31
Instruction Fuzzy Hash: CF510475604246DFDB19EF68C481ABA7BE4FF66310F248059FC919B2E0D7749E42CB90

Function 0014F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0014F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0014F2BB

Strings

@, xrefs: 0014F2AF

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6c398dcf61c62ff68ad2d9d97936a8eaffc91462c4ada9b6ddd3a15df5b41798
Instruction ID: 56cd381534f00f7b5eae837112708a629bf2dd0ab0c34cf045e05eaab6d8188e
Opcode Fuzzy Hash: 6c398dcf61c62ff68ad2d9d97936a8eaffc91462c4ada9b6ddd3a15df5b41798
Instruction Fuzzy Hash: 83515671408748ABE320AF54DC86BAFBBF8FB95300F81884CF1D9411A5EB308569CB66

Function 001B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001B57E0
_wcslen.LIBCMT ref: 001B57EC

Strings

CALLARGARRAY, xrefs: 001B57E6, 001B57EB

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d9e7cbc2349a5eb7d1ab97d5d4d919c05b5b4cd245722beb781f254c52dda946
Instruction ID: 18259ec122b610eae8e4a7f3c6717f6336e618cadcb253fa166163f12f1affe4
Opcode Fuzzy Hash: d9e7cbc2349a5eb7d1ab97d5d4d919c05b5b4cd245722beb781f254c52dda946
Instruction Fuzzy Hash: 9D417171E001099FCF14DFAAC885AFEBBB6FF69324F144069E505AB291E7709D81CB90

Function 001AD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001AD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001AD13A

Strings

|, xrefs: 001AD10B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d44f9450d8a2dbd540d0e40475d034591206b152bef3d8070ece4d8a9113da73
Instruction ID: 68ab8eeb002db23fe4ec9de4a45cbae37c40351a9f4472a76a7065db42204282
Opcode Fuzzy Hash: d44f9450d8a2dbd540d0e40475d034591206b152bef3d8070ece4d8a9113da73
Instruction Fuzzy Hash: B3315075D00209ABCF15EFA4DC85EEEBFB9FF19300F004069F815A6162D735AA46CB90

Function 001C356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001C3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001C365C

Strings

static, xrefs: 001C35BC

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 53eb851f58a587037c3b7dd77cfa062dc860aee3b9fbcbc6fef7de3c8c39dab0
Instruction ID: 69f4e2e2e6e68567fa70ae7c772bf7ca243bfed892796dad00cc5095a30bb3b1
Opcode Fuzzy Hash: 53eb851f58a587037c3b7dd77cfa062dc860aee3b9fbcbc6fef7de3c8c39dab0
Instruction Fuzzy Hash: 24318C71110204AADB149F68DC81FFB73A9FFA8760F00961DF9A597290DB31ED91DB60

Function 001C4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 001C461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001C4634

Strings

', xrefs: 001C458E

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0d350f75a30351fd1295c84a315c42ae57f04995dbf3e7c6cea84e1ff3411774
Instruction ID: 4680dd9e098a3b8fdbccef56de4d71f9be55b4884d8af5e283c25a02c9b569a8
Opcode Fuzzy Hash: 0d350f75a30351fd1295c84a315c42ae57f04995dbf3e7c6cea84e1ff3411774
Instruction Fuzzy Hash: 71311374A0431A9FDB14CFA9C9A1BEABBB5FB19300F10406AE904AB385D770E941CF90

Function 001C31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001C327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C3287

Strings

Combobox, xrefs: 001C3249

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ad1f145613544ed334b00d9b6da4723b0490f9033856f7980e107a4f36a6c749
Instruction ID: 706d4239b9886373b0b9d2a23864ca39323c7d695913c6d715050571dc38570e
Opcode Fuzzy Hash: ad1f145613544ed334b00d9b6da4723b0490f9033856f7980e107a4f36a6c749
Instruction Fuzzy Hash: 911190712002087FEF259E94DC85FBB3B6AEBA43A4F108129F92897291D771DD519760

Function 001C3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0013600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0013604C
Part of subcall function 0013600E: GetStockObject.GDI32(00000011), ref: 00136060
Part of subcall function 0013600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0013606A

GetWindowRect.USER32(00000000,?), ref: 001C377A
GetSysColor.USER32(00000012), ref: 001C3794

Strings

static, xrefs: 001C3757

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 087620f317895bd761823e0442ec057ea8940dfa99feedb48902c3d12ecd7011
Instruction ID: 0ff41b396cb28bc9d519d9cee95fa4752dc7a5fe965622e26d95393288c3d9d4
Opcode Fuzzy Hash: 087620f317895bd761823e0442ec057ea8940dfa99feedb48902c3d12ecd7011
Instruction Fuzzy Hash: D6113AB2610209AFDF01DFA8CC4AEEA7BF8FB18354F004518F965E2250D735E9519B50

Function 001ACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001ACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001ACDA6

Strings

<local>, xrefs: 001ACD66

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7e92fdf09a3930fd83d78c82fe5652ca9ff596b1911df6fdee0fe58cc1857b01
Instruction ID: 4b2a58a123bf467c7097a542d2f95adc339b6e59677577f3487f573fe5131633
Opcode Fuzzy Hash: 7e92fdf09a3930fd83d78c82fe5652ca9ff596b1911df6fdee0fe58cc1857b01
Instruction Fuzzy Hash: 1511C279205635BAD7384BA68C49EF7BEACEF137A4F00422AB11983180D7709840D6F0

Function 001C3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001C34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001C34BA

Strings

edit, xrefs: 001C348F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 7f79446ee6a3be70ecde85c3e98efd818d354886e81cd7b2d6b2b95dbf5150ce
Instruction ID: 08e0c4cb390b70ad3d9c73ddfc665527d359eb501fa60b5ba8f6d24370edbaef
Opcode Fuzzy Hash: 7f79446ee6a3be70ecde85c3e98efd818d354886e81cd7b2d6b2b95dbf5150ce
Instruction Fuzzy Hash: 49116D71100208AAEB164E64DC85FEA3B6AEB25774F508328F975931D0C771DD919B50

Function 00196C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

CharUpperBuffW.USER32(?,?,?), ref: 00196CB6
_wcslen.LIBCMT ref: 00196CC2

Strings

STOP, xrefs: 00196CBC, 00196CC1

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: ec06bcd7006cd5c0823c4f1e8172b4747a3157737c1492455f82f1f3cbb00508
Instruction ID: d519db36442ef3520fb3489eca92b9fa92ad705c4bef4bbfb33e961a86561365
Opcode Fuzzy Hash: ec06bcd7006cd5c0823c4f1e8172b4747a3157737c1492455f82f1f3cbb00508
Instruction Fuzzy Hash: 3F01C032A1452A8BCF21AFFDDC819BF77E5EF61754B510528F8A296190EB31E940C660

Function 00191CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 00193CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00193CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00191D4C

Strings

ComboBox, xrefs: 00191CEB
ListBox, xrefs: 00191D16

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 888790064ef94626f9a5234a00531478a1c3ce92472510bd7c7f57454575313c
Instruction ID: 5b4ba9a3ad969b32fbfa2b5e8c5bb22fad473d4d58c7808b3e4dbd33df855f4f
Opcode Fuzzy Hash: 888790064ef94626f9a5234a00531478a1c3ce92472510bd7c7f57454575313c
Instruction Fuzzy Hash: 8801B571601219ABCF08EBA4CD55CFE77A9EB56390B04091AE832572C1EB7059488660

Function 00191BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 00193CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00193CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00191C46

Strings

ComboBox, xrefs: 00191BE5
ListBox, xrefs: 00191C10

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0e78fa5c28f0da7451cb5d2d9e399061913bdc2018573bfca609ad0a7f669f31
Instruction ID: 382405f1849dc6964a0e0feb7af70c07d40a1b4c7f0008df1f60dc06e5831637
Opcode Fuzzy Hash: 0e78fa5c28f0da7451cb5d2d9e399061913bdc2018573bfca609ad0a7f669f31
Instruction Fuzzy Hash: DC01A275A851097ACF09EBA0CA52EFF77A99F61340F14001AB91667281EB609F48D6B1

Function 00191C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 00193CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00193CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00191CC8

Strings

ComboBox, xrefs: 00191C69
ListBox, xrefs: 00191C94

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cbc070d70ece93746998f971cc04edecbb21d1b5bec93f6779acaeb77be4ea91
Instruction ID: 4f046dd056fe37fb144c956eed3c9d30d4511c19e73d548c8de6a5fc950c5695
Opcode Fuzzy Hash: cbc070d70ece93746998f971cc04edecbb21d1b5bec93f6779acaeb77be4ea91
Instruction Fuzzy Hash: 0B01D1B5A8011977CF04EBA0CA02EFE77A99B21380F540016B906B7281EBA09F48D6B1

Function 00191D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 00193CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00193CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00191DD3

Strings

ComboBox, xrefs: 00191D75
ListBox, xrefs: 00191DA0

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4c47f5becb64f5e3b912981e1991ce9a865d1a1153f80c7eaf994f85a8157464
Instruction ID: 6aba192d1df615c3e2baf04e4ba3ca2507a23a880093fb94d6e2ff148da92d6e
Opcode Fuzzy Hash: 4c47f5becb64f5e3b912981e1991ce9a865d1a1153f80c7eaf994f85a8157464
Instruction Fuzzy Hash: 78F0A475A4121976DF08E7E4CD56EFE77A8AB11350F440915B926A72C1DBA0590882A0

Function 001C8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00203018,0020305C), ref: 001C81BF
CloseHandle.KERNEL32 ref: 001C81D1

Strings

\0 , xrefs: 001C818A

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0
API String ID: 3712363035-2127501565
Opcode ID: 750793a0e7c27cdcb0fdc00956d35b0172eb8e3d4e291f59158d48508fb048a6
Instruction ID: 4c1501d1da4189b050300cf41308a99fef41c6c8622881b65b7aced264f713a2
Opcode Fuzzy Hash: 750793a0e7c27cdcb0fdc00956d35b0172eb8e3d4e291f59158d48508fb048a6
Instruction Fuzzy Hash: 21F03AB2641300BAE320AB61BC49FB73A5DEB19751F004461FA08D91A2D6758E5482E8

Function 001B747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B7493
_wcslen.LIBCMT ref: 001B74B9

Strings

3, 3, 16, 1, xrefs: 001B7483

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 5ed2ff7d2e13b9e3da031e253b028089355917c92c3723ddbd6f3dd24671429c
Instruction ID: 84a4c1a2c3a06a6a7363a40e8cc1c414799f75c1be424c089a40bb5754e9b464
Opcode Fuzzy Hash: 5ed2ff7d2e13b9e3da031e253b028089355917c92c3723ddbd6f3dd24671429c
Instruction Fuzzy Hash: 15E02B026042206192311279ACC29BF5689DFD9756710182BFD81C62E6EBA48DD193A0

Function 00190B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00190B23

Strings

Error allocating memory., xrefs: 00190B1C
AutoIt, xrefs: 00190B17

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 04eee5365e31591ae5cad96e1f1e961c94023d1b81ec21cddc37faffae64b400
Instruction ID: a660d7b16b70d996988949f536b7c8b47310f67f3d5bd1164f5fa1197f73763e
Opcode Fuzzy Hash: 04eee5365e31591ae5cad96e1f1e961c94023d1b81ec21cddc37faffae64b400
Instruction Fuzzy Hash: C9E0D8312443083AD21437947C03FC97A85CF15F15F10042EFB9C659D38BE2689106E9

Function 00150D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0014F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00150D71,?,?,?,0013100A), ref: 0014F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0013100A), ref: 00150D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0013100A), ref: 00150D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00150D7F

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: f99de91f9a2f49a4fe4346559134d9c28681dc58835957b491e12375f8cb54eb
Instruction ID: 39169d452013438a0d0ea810e5fbaf929b7163b2573ee88d81ec8dbf31651697
Opcode Fuzzy Hash: f99de91f9a2f49a4fe4346559134d9c28681dc58835957b491e12375f8cb54eb
Instruction Fuzzy Hash: DEE06D742003418BD3219FF8E508B42BBF1AF18741F00492DE896CA652DBB4E8898B91

Function 0014E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0014E3D5

Strings

0% , xrefs: 0014E3B5
8% , xrefs: 0014E3CA

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0% $8%
API String ID: 1385522511-1964686787
Opcode ID: 7635c2bb300fc79c691ca2659a5f17d8ea656a21b9d30408d5dec0dcc6aac4ca
Instruction ID: 562ac4730d03fa55be9c6272a87b99fdcf7da13756022c544b542e5ac0237ada
Opcode Fuzzy Hash: 7635c2bb300fc79c691ca2659a5f17d8ea656a21b9d30408d5dec0dcc6aac4ca
Instruction Fuzzy Hash: 3BE08631414B10CBCB0E9B18BEDDE883795BB19320F9111AAF5228B1E39B71684A865D

Function 001A3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001A302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 001A3044

Strings

aut, xrefs: 001A3038

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 9bbfcc6ea3c12e601f002a64fc8efe7eef9cb0714fc340d314bf74c872c68a81
Instruction ID: ae2b63708382758c9d4b4d2d3078f61475d19f80e06eb3c4cd9abac213eae188
Opcode Fuzzy Hash: 9bbfcc6ea3c12e601f002a64fc8efe7eef9cb0714fc340d314bf74c872c68a81
Instruction Fuzzy Hash: 3CD05E7250032867DA20E7A4AC0EFDB7E7CDB04750F0002A1B659E2491DAB0D984CAD0

Function 0018D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0018D220

Strings

X64, xrefs: 0018D2A8
%.3d, xrefs: 0018D22B

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 41d8f42625dbe67fa8d3123526134d0535a5ec36f3b42da066d2af4cbd1f16c6
Instruction ID: fa5b8baebcb0b018b29d6fe3bd3eeec726009eded947d19c0b86e6b2280b0ae8
Opcode Fuzzy Hash: 41d8f42625dbe67fa8d3123526134d0535a5ec36f3b42da066d2af4cbd1f16c6
Instruction Fuzzy Hash: 42D01261808208F9CB54A7D0EC49CBAB37DFB18341F528452F90792080D724C6486F61

Function 001C2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001C232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001C233F

Part of subcall function 0019E97B: Sleep.KERNEL32 ref: 0019E9F3

Strings

Shell_TrayWnd, xrefs: 001C2325

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 74be32afb7421962aeff970ba20e0a18980aa485fa5184ca1734ae085d236a26
Instruction ID: b8cff3c25c2c8fcc8533bac49f634c4a43bea4a085b52bf9f271c3a0c9aa41ec
Opcode Fuzzy Hash: 74be32afb7421962aeff970ba20e0a18980aa485fa5184ca1734ae085d236a26
Instruction Fuzzy Hash: CBD0C936794350B6E664B771DC0FFD67A549B10B14F004A16B74AAA1D0CAA4A841CA94

Function 001C2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001C236C
PostMessageW.USER32(00000000), ref: 001C2373

Part of subcall function 0019E97B: Sleep.KERNEL32 ref: 0019E9F3

Strings

Shell_TrayWnd, xrefs: 001C2365

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 99146ef4f8c072a503613edc8f36b94be3188ee6acf48eb96c22563058ea85fe
Instruction ID: 2ee80d98b5b6f651c2c988875d5cc57e31909437b0e8bfe063c3b558aa46334a
Opcode Fuzzy Hash: 99146ef4f8c072a503613edc8f36b94be3188ee6acf48eb96c22563058ea85fe
Instruction Fuzzy Hash: 5DD0C9327C13507AE664B771DC0FFC67A549B14B14F004A16B74AEA1D0CAA4A841CA94

Function 0016BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0016BE93
GetLastError.KERNEL32 ref: 0016BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0016BEFC

Memory Dump Source

Source File: 00000000.00000002.1361911677.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1361480217.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362033934.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362106883.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1362201632.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: dca9b1f22f3ee3a263cea51f8ddfbe8773cabe6d95e1f6388a5a9041efcb9d6f
Instruction ID: 7888f6d67a89aa76002d53d9763cf0fa525ef3e73b13a48a165b8cc3009a98db
Opcode Fuzzy Hash: dca9b1f22f3ee3a263cea51f8ddfbe8773cabe6d95e1f6388a5a9041efcb9d6f
Instruction Fuzzy Hash: EA412735608206EFCF258FA5CCC4ABA7BA5EF11310F1541A9F959DB1B1DB318CA1CB60

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000F.00000003.1516301398.0000262585804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1516301398.0000262585804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1509904031.000001EB617E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1492964822.000001EB617E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1516782020.000001EB617E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1503158350.000001EB59DE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1517159180.000001EB5FC4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1509904031.000001EB617E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1517159180.000001EB5FC4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1509904031.000001EB617E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1492964822.000001EB617E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1509904031.000001EB617E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1492964822.000001EB617E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1534902557.000001EB5A053000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1503158350.000001EB59DE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1517159180.000001EB5FC4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1509904031.000001EB617E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1517159180.000001EB5FC4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1509904031.000001EB617E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1492964822.000001EB617E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1518603073.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535241191.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513185342.000001EB59A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1509904031.000001EB617E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1492964822.000001EB617E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1534902557.000001EB5A053000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1516301398.0000262585804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49924 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49923 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.7:49926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49934 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50040 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_624a379a-9541-4898-b5f3-64994def33a0.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_624a379a-9541-4898-b5f3-64994def33a0.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre