Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561536
MD5:	b607f667b23f2e1a00ed1246555f3f09
SHA1:	0c75ffff839c4eceaeb2b3c0ad13002d297de76f
SHA256:	44b1e5da02727ac5f7547095c9cdd7e2b97812993e99e4ffeddaacc9cd95289a
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

file.exe (PID: 2552 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B607F667B23F2E1A00ED1246555F3F09)

taskkill.exe (PID: 2440 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2024 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7136 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6956 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6912 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5112 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7136 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4512 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7220 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a8b3303-1cda-4aeb-916b-d80e871d8579} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2366dc6e310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7912 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4092 -parentBuildID 20230927232528 -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f858d9a-ddf6-4353-9a58-09ef593d3a72} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2367fce9f10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7696 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3224 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4960 -prefMapHandle 3488 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cba64bda-c318-453b-92d6-3178d6fad286} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 23685e59110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 2552	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 4_2_0051EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

4_2_0051EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_0051ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

4_2_0051ED6A

Source: C:\Users\user\Desktop\file.exe

4_2_0051EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_0050AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

4_2_0050AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_00539576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

4_2_00539576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000004.00000000.1278975666.0000000000562000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5ca0385b-e
Source: file.exe, 00000004.00000000.1278975666.0000000000562000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bd001de7-f
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d6e338c4-9
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_85f25d1b-f

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000022A8CBF42F7 NtQuerySystemInformation,		23_2_0000022A8CBF42F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000022A8CBFA872 NtQuerySystemInformation,		23_2_0000022A8CBFA872

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_0050D5EB: CreateFileW,DeviceIoControl,CloseHandle,

4_2_0050D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_00501201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

4_2_00501201

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_0050E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

4_2_0050E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004ABF40	4_2_004ABF40
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00512046	4_2_00512046
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004A8060	4_2_004A8060
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00508298	4_2_00508298
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004DE4FF	4_2_004DE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004D676B	4_2_004D676B
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00534873	4_2_00534873
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004ACAF0	4_2_004ACAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004CCAA0	4_2_004CCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004BCC39	4_2_004BCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004D6DD9	4_2_004D6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004BB119	4_2_004BB119
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004A91C0	4_2_004A91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004C1394	4_2_004C1394
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004C1706	4_2_004C1706
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004C781B	4_2_004C781B
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004B997D	4_2_004B997D
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004A7920	4_2_004A7920
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004C19B0	4_2_004C19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004C7A4A	4_2_004C7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004C1C77	4_2_004C1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004C7CA7	4_2_004C7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0052BE44	4_2_0052BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004D9EEE	4_2_004D9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004C1F32	4_2_004C1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000022A8CBF42F7	23_2_0000022A8CBF42F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000022A8CBFA872	23_2_0000022A8CBFA872
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000022A8CBFAF9C	23_2_0000022A8CBFAF9C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000022A8CBFA8B2	23_2_0000022A8CBFA8B2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004A9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004BF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004C0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@67/12

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_005137B5 GetLastError,FormatMessageW,

4_2_005137B5

Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_005010BF AdjustTokenPrivileges,CloseHandle,		4_2_005010BF
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_005016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		4_2_005016C3

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_005151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

4_2_005151CD

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_0050D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

4_2_0050D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_0051648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

4_2_0051648E

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

4_2_004A42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Program Files\Mozilla Firefox\firefox.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000013.00000003.1494038452.000002367EEE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 00000013.00000003.1494038452.000002367EEE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 00000013.00000003.1494038452.000002367EEE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 00000013.00000003.1494038452.000002367EEE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 00000013.00000003.1494038452.000002367EEE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 00000013.00000003.1494038452.000002367EEE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 00000013.00000003.1494038452.000002367EEE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 00000013.00000003.1494038452.000002367EEE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 00000013.00000003.1494038452.000002367EEE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a8b3303-1cda-4aeb-916b-d80e871d8579} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2366dc6e310 socket
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4092 -parentBuildID 20230927232528 -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f858d9a-ddf6-4353-9a58-09ef593d3a72} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2367fce9f10 rdd
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3224 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4960 -prefMapHandle 3488 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cba64bda-c318-453b-92d6-3178d6fad286} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 23685e59110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a8b3303-1cda-4aeb-916b-d80e871d8579} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2366dc6e310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4092 -parentBuildID 20230927232528 -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f858d9a-ddf6-4353-9a58-09ef593d3a72} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2367fce9f10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3224 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4960 -prefMapHandle 3488 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cba64bda-c318-453b-92d6-3178d6fad286} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 23685e59110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 00000013.00000003.1408255147.000002368A3A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.19.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.19.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 00000013.00000003.1408255147.000002368A3A3000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

4_2_004A42DE

Source: gmpopenh264.dll.tmp.19.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004C0A76 push ecx; ret

4_2_004C0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		4_2_004BF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00531C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		4_2_00531C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_4-95332

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 23_2_0000022A8CBF42F7 rdtsc

23_2_0000022A8CBF42F7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0050DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	4_2_0050DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004DC2A2 FindFirstFileExW,	4_2_004DC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_005168EE FindFirstFileW,FindClose,	4_2_005168EE
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0051698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	4_2_0051698F
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0050D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_0050D076
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0050D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_0050D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00519642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_00519642
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0051979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_0051979D
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00519B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	4_2_00519B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00515C97 FindFirstFileW,FindNextFileW,FindClose,	4_2_00515C97

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

4_2_004A42DE

Source: firefox.exe, 00000015.00000002.2527691906.000002D72C51A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW360
Source: firefox.exe, 00000015.00000002.2528352865.000002D72C5C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2523321685.0000022A8C89A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2531992272.0000022A8D090000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2523788154.000002259978A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000015.00000002.2531788661.000002D72CA16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000018.00000002.2530805987.0000022599C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: firefox.exe, 00000015.00000002.2527691906.000002D72C51A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 00000015.00000002.2528352865.000002D72C5C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2531992272.0000022A8D090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 23_2_0000022A8CBF42F7 rdtsc

23_2_0000022A8CBF42F7

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_0051EAA2 BlockInput,

4_2_0051EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_004D2622

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

4_2_004A42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004C4CE8 mov eax, dword ptr fs:[00000030h]

4_2_004C4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_00500B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

4_2_00500B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_004D2622
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_004C083F
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004C09D5 SetUnhandledExceptionFilter,	4_2_004C09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_004C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_004C0C21

Source: C:\Users\user\Desktop\file.exe

4_2_00501201

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004E2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

4_2_004E2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_0050B226 SendInput,keybd_event,

4_2_0050B226

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_005222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

4_2_005222DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "c:\program files\mozilla firefox\firefox.exe" -contentproc --channel=2284 -parentbuildid 20230927232528 -prefshandle 2228 -prefmaphandle 2220 -prefslen 25302 -prefmapsize 237879 -win32klockeddown -appdir "c:\program files\mozilla firefox\browser" - {2a8b3303-1cda-4aeb-916b-d80e871d8579} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2366dc6e310 socket
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "c:\program files\mozilla firefox\firefox.exe" -contentproc --channel=4092 -parentbuildid 20230927232528 -prefshandle 3836 -prefmaphandle 3832 -prefslen 26317 -prefmapsize 237879 -appdir "c:\program files\mozilla firefox\browser" - {8f858d9a-ddf6-4353-9a58-09ef593d3a72} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2367fce9f10 rdd
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "c:\program files\mozilla firefox\firefox.exe" -contentproc --channel=3224 -parentbuildid 20230927232528 -sandboxingkind 0 -prefshandle 4960 -prefmaphandle 3488 -prefslen 33185 -prefmapsize 237879 -win32klockeddown -appdir "c:\program files\mozilla firefox\browser" - {cba64bda-c318-453b-92d6-3178d6fad286} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 23685e59110 utility

Source: C:\Users\user\Desktop\file.exe

4_2_00500B62

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_00501663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

4_2_00501663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 00000013.00000003.1412441442.000002368A3A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004C0698 cpuid

4_2_004C0698

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_00518195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

4_2_00518195

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004FD27A GetUserNameW,

4_2_004FD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004DB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

4_2_004DB952

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

4_2_004A42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 2552, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 2552, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00521204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		4_2_00521204
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00521806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		4_2_00521806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	34%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.193.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	142.250.181.14	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.65.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678942	firefox.exe, 00000013.00000003.1363083029.000002367EFB8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000018.00000002.2528028073.0000022599BC3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000013.00000003.1422673085.0000023687A52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1456267249.0000023687A52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1421091776.0000023689B82000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.19.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 00000013.00000003.1426901495.000002368602A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1347326122.0000023686032000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1348084414.000002368602E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000017.00000002.2528782723.0000022A8CC86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2528028073.0000022599B8E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 00000013.00000003.1488672800.00000236866ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1471445187.00000236866B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1478357199.00000236866B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1361221986.00000236866EE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 00000013.00000003.1478735631.0000023686515000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1349864735.000002367F773000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 00000013.00000003.1520647626.00000236865C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1490889150.0000023681294000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1494379510.000002367EE66000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/notes/javascript-escapes#single	firefox.exe, 00000013.00000003.1458608398.0000023686A64000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 00000013.00000003.1361847193.000002367ECD9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000013.00000003.1329303330.000002367D600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1329835779.000002367D822000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1330127639.000002367D842000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1330492585.000002367D863000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1330704531.000002367D883000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 00000013.00000003.1530683652.000002367F35D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1482123008.000002367F35D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 00000013.00000003.1361664697.000002367EE9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1494254751.000002367EE9F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000013.00000003.1472038436.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1365373018.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1424522437.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1488972335.000002368645D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000013.00000003.1530683652.000002367F35D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1329303330.000002367D600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1329835779.000002367D822000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1330127639.000002367D842000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1482123008.000002367F35D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1330492585.000002367D863000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1330704531.000002367D883000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 00000013.00000003.1448991601.0000023680F83000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 00000013.00000003.1329303330.000002367D600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1329835779.000002367D822000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1330127639.000002367D842000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1330492585.000002367D863000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 00000013.00000003.1356684821.0000023686822000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 00000013.00000003.1448201991.0000023685E47000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 00000013.00000003.1520647626.00000236865C3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 00000013.00000003.1488672800.00000236866ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1471445187.00000236866B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1478357199.00000236866B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1361221986.00000236866EE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 00000013.00000003.1361664697.000002367EE1D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 00000013.00000003.1494641337.000002367EDC6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 00000013.00000003.1361847193.000002367ECF4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 00000013.00000003.1472038436.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1365373018.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1424522437.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1488972335.000002368645D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 00000013.00000003.1460145595.0000023679B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1524487837.0000023679B7D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 00000018.00000002.2528028073.0000022599B0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=htQ	firefox.exe, 00000018.00000002.2526373876.0000022599950000.00000004.00000020.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000013.00000003.1363907569.000002367EA3A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 00000013.00000003.1531563732.000002367ECF0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 00000013.00000003.1478735631.0000023686515000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000013.00000003.1494641337.000002367EDC6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000018.00000002.2528028073.0000022599BC3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000013.00000003.1490354538.0000023685E47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1448201991.0000023685E47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000013.00000003.1363907569.000002367EA3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1363370656.000002367EFBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1364189572.000002367EFC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1363083029.000002367EFB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1362808612.000002367EFEA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000013.00000003.1422176442.000002367EA4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1462084907.000002367EA50000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 00000013.00000003.1494143418.000002367EEBE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 00000013.00000003.1530683652.000002367F35D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1482123008.000002367F35D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.19.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 00000013.00000003.1520242586.00000236866CE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000015.00000002.2528972895.000002D72C9C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2528782723.0000022A8CCF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2531123694.0000022599D03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.19.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 00000013.00000003.1488972335.000002368645D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000013.00000003.1457223459.00000236865EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1448201991.0000023685EC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2528782723.0000022A8CC12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2528028073.0000022599B13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1478735631.0000023686515000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 00000013.00000003.1361847193.000002367EC75000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 00000013.00000003.1520304058.00000236866C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1471445187.00000236866B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1478357199.00000236866B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1488708158.00000236866BB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 00000013.00000003.1363370656.000002367EFBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1363063310.000002367EFC7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListenerUseOfReleaseEventsWarningUse	firefox.exe, 00000013.00000003.1472038436.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1365373018.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1424522437.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1488972335.000002368645D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000013.00000003.1373195624.000002367EAF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1423361081.00000236801F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1449565757.0000023680F13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1422176442.000002367EAA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1422176442.000002367EA4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1367762939.000002367EBC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1455038986.0000023686A42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1348280626.000002368601B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1526081706.000002367DDF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1335735825.000002367EAE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1456971083.0000023686939000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1368961037.000002367EBC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1483960164.00000236812E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1367506886.000002367EADA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1529598235.00000236794BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1477508551.000002367EAF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1416761710.0000023680149000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1336148433.000002367EAE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1427585830.0000023681021000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1454735749.000002367DDF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1338013792.000002367DDF0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 00000013.00000003.1448991601.0000023680F83000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 00000013.00000003.1448991601.0000023680F83000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.19.dr	false	high
https://www.zhihu.com/	firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1529814430.0000023685FB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1426178765.0000023685FAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 00000013.00000003.1424859153.000002368619B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1446371525.000002368986B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 00000013.00000003.1424859153.000002368619B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1446371525.000002368986B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 00000013.00000003.1520304058.00000236866C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1471445187.00000236866B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1478357199.00000236866B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1488708158.00000236866BB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 00000013.00000003.1426901495.000002368602A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1347326122.0000023686032000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1348084414.000002368602E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla-hub.atlassian.net/browse/SDK-405	firefox.exe, 00000013.00000003.1361527812.000002367EEB8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 00000013.00000003.1488972335.0000023686458000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1365373018.0000023686458000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000013.00000003.1349864735.000002367F773000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1471445187.000002368661D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 00000013.00000003.1333025552.000002367B31E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1331970450.000002367B333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1333357324.000002367B333000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 00000013.00000003.1363370656.000002367EFBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1364160889.000002367EFC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1363083029.000002367EFB8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/	firefox.exe, 00000013.00000003.1458608398.0000023686A64000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000013.00000003.1522430528.0000023680446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1449701726.000002368043B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1350746080.000002368043B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1492537709.0000023680442000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000013.00000003.1363907569.000002367EA3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1363370656.000002367EFBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1363026710.000002367EFC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1363063310.000002367EFC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1362808612.000002367EFEA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 00000013.00000003.1333025552.000002367B31E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1460145595.0000023679B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1331970450.000002367B333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1333357324.000002367B333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1524487837.0000023679B7D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 00000013.00000003.1494641337.000002367EDC6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000013.00000003.1509194865.00000236800EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1424273325.00000236864D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2528170106.000002D72C570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2527589841.0000022A8CB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2527590630.0000022599990000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561536
Start date and time:	2024-11-23 17:44:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@67/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.80.238.59, 52.12.64.98, 35.164.125.63, 172.217.17.74, 172.217.17.42, 172.217.17.78, 88.221.134.155, 88.221.134.209
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:45:15	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	sora.arm.elf	Get hash	malicious	Mirai	Browse	32.35.17.38
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	57.28.196.7
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	34.14.230.135
	sora.x86.elf	Get hash	malicious	Mirai	Browse	57.237.12.143
	sora.mips.elf	Get hash	malicious	Mirai	Browse	32.250.225.190
	sora.spc.elf	Get hash	malicious	Mirai	Browse	57.175.156.177
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_79bc784b-8891-4895-bc65-536fbdf396da.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.17161884250056
Encrypted:	false
SSDEEP:	192:xMvMi9JKcbhbVbTbfbRbObtbyEl7njjtr1JA6unSrDtTkd/S9+n:xFLcNhnzFSJDjtrw1nSrDhkd/c+n
MD5:	9EA6B7B38A8DB2D745C972D33C55A001
SHA1:	76313EA84F59DEA072AC7D1165F39D3882986C5D
SHA-256:	48E0A632FE18569ABE98B728B08704B8E67124CE845B4A8440EAF8C013CA12F0
SHA-512:	7A202A63987AF9936AA4B561105CCE7CBF1BBF5B9DEC694DAFD1B8AB15E907E1C721DA3EE980B82324BA492010AF58AB4D8DEFE1865ED3404D1D3F1FC1CAC06A
Malicious:	false
Preview:	{"type":"uninstall","id":"79bc784b-8891-4895-bc65-536fbdf396da","creationDate":"2024-11-23T18:39:09.837Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_79bc784b-8891-4895-bc65-536fbdf396da.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.17161884250056
Encrypted:	false
SSDEEP:	192:xMvMi9JKcbhbVbTbfbRbObtbyEl7njjtr1JA6unSrDtTkd/S9+n:xFLcNhnzFSJDjtrw1nSrDhkd/c+n
MD5:	9EA6B7B38A8DB2D745C972D33C55A001
SHA1:	76313EA84F59DEA072AC7D1165F39D3882986C5D
SHA-256:	48E0A632FE18569ABE98B728B08704B8E67124CE845B4A8440EAF8C013CA12F0
SHA-512:	7A202A63987AF9936AA4B561105CCE7CBF1BBF5B9DEC694DAFD1B8AB15E907E1C721DA3EE980B82324BA492010AF58AB4D8DEFE1865ED3404D1D3F1FC1CAC06A
Malicious:	false
Preview:	{"type":"uninstall","id":"79bc784b-8891-4895-bc65-536fbdf396da","creationDate":"2024-11-23T18:39:09.837Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.939548099592862
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLzDngJ8P:8S+Oc+UAOdwiOdKeQjDLzDgJ8P
MD5:	6124F3F8DA099F5355907EF466133727
SHA1:	491DB1C7B7505924C0C48B4A75AFAEC5D7E46B4F
SHA-256:	0302646CBBE47F434372F29FF4EBB4F7EA1FBDCEF29174949B3A4B2CA349EDD8
SHA-512:	179F24B95F83843481B1D1DA242B668F59BA167FAFBDC4A79E27D06A70AB158DC1E8EB411A68CD72F970A51D612D3810A7F165BF441FA24731AD25A369B7D7C0
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.939548099592862
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLzDngJ8P:8S+Oc+UAOdwiOdKeQjDLzDgJ8P
MD5:	6124F3F8DA099F5355907EF466133727
SHA1:	491DB1C7B7505924C0C48B4A75AFAEC5D7E46B4F
SHA-256:	0302646CBBE47F434372F29FF4EBB4F7EA1FBDCEF29174949B3A4B2CA349EDD8
SHA-512:	179F24B95F83843481B1D1DA242B668F59BA167FAFBDC4A79E27D06A70AB158DC1E8EB411A68CD72F970A51D612D3810A7F165BF441FA24731AD25A369B7D7C0
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07321200860506952
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkilN5o:DLhesh7Owd4+jiX5o
MD5:	7F4126334E4A45B672FEA89B44AB2EC7
SHA1:	E1F3327D38404EAB7F7D6B72DA94DC59CB53276D
SHA-256:	8CD07D3342B3E9AB63A053E33DD9C16C88EBBA1580BB54407D4A8A5144D8F8FC
SHA-512:	9F64A42931A2F8594D9A42EDDD4DC1775F1D40D148DC48FE8EB7D5C1C573DEA4FB16342E8ADE17962AE41EBF250993A8D62B66430C73371E346C0B121B80453B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstF7HZ20eylIPlstF7HZ20ey/llllT89//alEl:GtWtNZ20EPWtNZ20xlJ89XuM
MD5:	0FCD15D87B04DB055A65132A9C55CF61
SHA1:	180A7E686CDA6FC19B80323A9B268CF8D756A967
SHA-256:	C8D6CCB8B9D8C4130B7E140090B62E8C7F0E9A17C78F0A68236E6602A5E84E25
SHA-512:	7AF6DAC88D33C018112405EDAD88BF674B359A4123B4D16B5AADF836662C818183D9D4FB492932E0DEA521DEC12D27B8E150DC280D0BCAC8D0B403800870D130
Malicious:	false
Preview:	..-.....................l..M.\|.3m..,SZ.....!?...-.....................l..M.\|.3m..,SZ.....!?.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039920253262097694
Encrypted:	false
SSDEEP:	3:Ol1k4X3VyllfWlKoyDl8rEXsxdwhml8XW3R2:KrX3VmlDl8dMhm93w
MD5:	8FEC09B8231C70AF02E4FA97397108E9
SHA1:	C6374BC6819B95B9233255E70095CA4EBA6E0604
SHA-256:	60436E039966ADCD99BB1AB4DEA69F2E409C14673C2E5B1E91C2904791CEDB1C
SHA-512:	08482BC7C935FF442E1744D428808817747D44BAB23979190B4C83FF9D2A44C6F9B628050410088C62F96F9ABB744A5BADC6DC6AD6CBAB0E26574FADA477E605
Malicious:	false
Preview:	7....-..........3m..,SZ..XpFv...........3m..,SZ....l.\|.M................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.476530701261275
Encrypted:	false
SSDEEP:	192:lknSRkyYbBp6xqUCaXY6VxzbriNz7v5RHNBw8dbnSl:ze6qUz3brOz3Pwo0
MD5:	50FC53D6BF3486CC4439C8FC6D70A5B8
SHA1:	E69E89B023C3E4657E7BD4A9FBFC60C7CA5DBE89
SHA-256:	561513701F99D93BDC435980CD503F508745DEADFD20626FE8A08DC38E4E6163
SHA-512:	2C689294943FBD9CFADDF8D9DC217DED07AC2EEDBC8C4FFEB0DB727F6C12E8F1BE51F788456CBF243D6C189475EDF17B2E0A4161FBE1E520649B663079B359B7
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732387120);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732387120);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732387120);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173238

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.476530701261275
Encrypted:	false
SSDEEP:	192:lknSRkyYbBp6xqUCaXY6VxzbriNz7v5RHNBw8dbnSl:ze6qUz3brOz3Pwo0
MD5:	50FC53D6BF3486CC4439C8FC6D70A5B8
SHA1:	E69E89B023C3E4657E7BD4A9FBFC60C7CA5DBE89
SHA-256:	561513701F99D93BDC435980CD503F508745DEADFD20626FE8A08DC38E4E6163
SHA-512:	2C689294943FBD9CFADDF8D9DC217DED07AC2EEDBC8C4FFEB0DB727F6C12E8F1BE51F788456CBF243D6C189475EDF17B2E0A4161FBE1E520649B663079B359B7
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732387120);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732387120);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732387120);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173238

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	6.349024657582314
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSZLXnIg8I/pnxQwRlszT5sKhik3eHVVPNZTkSamhuM013pOOcUb3mG:GUpOxYhnR6d3etZTkSi5hdJd
MD5:	88056D2B80C6DD92A3F2E88E2A724F58
SHA1:	86E309BEE251CEE1B2D75C12174BCBAF1855F3F7
SHA-256:	1C546632351F8E8EEA6D5924C5F938A3E6BD79BE6DFAEC2E0E1DD7CCA593312A
SHA-512:	63F459BD10972E2EDAC85BA8ABB8AD588987E443613353826A5D39F1DF75A15F235C19CA587257251057B46671F879C5137B6CF6C60CDC24510487EBE13C0078
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{19f1aa7d-2847-4e93-8415-181d07ac29a0}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732387124183,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`089740...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....093026,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	6.349024657582314
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSZLXnIg8I/pnxQwRlszT5sKhik3eHVVPNZTkSamhuM013pOOcUb3mG:GUpOxYhnR6d3etZTkSi5hdJd
MD5:	88056D2B80C6DD92A3F2E88E2A724F58
SHA1:	86E309BEE251CEE1B2D75C12174BCBAF1855F3F7
SHA-256:	1C546632351F8E8EEA6D5924C5F938A3E6BD79BE6DFAEC2E0E1DD7CCA593312A
SHA-512:	63F459BD10972E2EDAC85BA8ABB8AD588987E443613353826A5D39F1DF75A15F235C19CA587257251057B46671F879C5137B6CF6C60CDC24510487EBE13C0078
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{19f1aa7d-2847-4e93-8415-181d07ac29a0}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732387124183,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`089740...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....093026,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	6.349024657582314
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSZLXnIg8I/pnxQwRlszT5sKhik3eHVVPNZTkSamhuM013pOOcUb3mG:GUpOxYhnR6d3etZTkSi5hdJd
MD5:	88056D2B80C6DD92A3F2E88E2A724F58
SHA1:	86E309BEE251CEE1B2D75C12174BCBAF1855F3F7
SHA-256:	1C546632351F8E8EEA6D5924C5F938A3E6BD79BE6DFAEC2E0E1DD7CCA593312A
SHA-512:	63F459BD10972E2EDAC85BA8ABB8AD588987E443613353826A5D39F1DF75A15F235C19CA587257251057B46671F879C5137B6CF6C60CDC24510487EBE13C0078
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{19f1aa7d-2847-4e93-8415-181d07ac29a0}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732387124183,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`089740...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....093026,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.037800182315653
Encrypted:	false
SSDEEP:	48:YrSAYSKeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAct:ycSK+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	92F26F600930A87CB72BE30DE8346EFA
SHA1:	AB34A0E20DDCBA62FC8A9E3175CCE1A41B5B1050
SHA-256:	F540EF217E47A73C73934630644B5F528E6666C5BAD6EA49EEA2A1322ED5C0E5
SHA-512:	A330D76579BA791BF6BC7969FE0AF5D325C7774060F42C179DF89D07746AC3F706D0B0D8B8A91F21755141845C14F39000C8796FED8B330580A5AADBF3545A3C
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T18:38:17.469Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.037800182315653
Encrypted:	false
SSDEEP:	48:YrSAYSKeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAct:ycSK+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	92F26F600930A87CB72BE30DE8346EFA
SHA1:	AB34A0E20DDCBA62FC8A9E3175CCE1A41B5B1050
SHA-256:	F540EF217E47A73C73934630644B5F528E6666C5BAD6EA49EEA2A1322ED5C0E5
SHA-512:	A330D76579BA791BF6BC7969FE0AF5D325C7774060F42C179DF89D07746AC3F706D0B0D8B8A91F21755141845C14F39000C8796FED8B330580A5AADBF3545A3C
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T18:38:17.469Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.592468201260329
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'624 bytes
MD5:	b607f667b23f2e1a00ed1246555f3f09
SHA1:	0c75ffff839c4eceaeb2b3c0ad13002d297de76f
SHA256:	44b1e5da02727ac5f7547095c9cdd7e2b97812993e99e4ffeddaacc9cd95289a
SHA512:	59e08daf9034065ee35afe43d93470b3d98d30da4a76ce9c00c455d4985d9d3aae95eb617c540c0029b910f7c3d6b67c0e5f5b336b45514c88f7c779f183ebc1
SSDEEP:	24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8a+RO:4TvC/MTQYxsWR7a+
TLSH:	1D159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674202F4 [Sat Nov 23 16:29:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FED98B8B9A3h
jmp 00007FED98B8B2AFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FED98B8B48Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FED98B8B45Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FED98B8E04Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FED98B8E098h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FED98B8E081h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa874	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa874	0xaa00	0070deb4d93a2d01a4d73851badda349	False	0.36957720588235293	data	5.650764333735662	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1b3a	data			1.0015781922525107
RT_GROUP_ICON	0xde2f4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde36c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde380	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde394	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde3a8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde484	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 17:45:15.300414085 CET	49709	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:15.300494909 CET	443	49709	142.250.181.78	192.168.2.7
Nov 23, 2024 17:45:15.300523996 CET	49710	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:15.300565958 CET	443	49710	142.250.181.78	192.168.2.7
Nov 23, 2024 17:45:15.300858974 CET	49711	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:15.300883055 CET	443	49711	35.190.72.216	192.168.2.7
Nov 23, 2024 17:45:15.301069021 CET	49709	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:15.301137924 CET	49710	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:15.301139116 CET	49711	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:15.306113005 CET	49709	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:15.306155920 CET	443	49709	142.250.181.78	192.168.2.7
Nov 23, 2024 17:45:15.307539940 CET	49710	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:15.307550907 CET	443	49710	142.250.181.78	192.168.2.7
Nov 23, 2024 17:45:15.308902025 CET	49711	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:15.308928967 CET	443	49711	35.190.72.216	192.168.2.7
Nov 23, 2024 17:45:15.309128046 CET	49712	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:15.446115971 CET	80	49712	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:15.448760033 CET	49712	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:15.448893070 CET	49712	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:15.568980932 CET	80	49712	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:15.587867022 CET	49714	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:15.587929010 CET	443	49714	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:15.588076115 CET	49714	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:15.589375973 CET	49714	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:15.589390993 CET	443	49714	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:15.617273092 CET	49715	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:15.617310047 CET	443	49715	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:15.617445946 CET	49715	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:15.618726969 CET	49715	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:15.618741035 CET	443	49715	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:16.159682035 CET	49716	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:16.159758091 CET	443	49716	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:16.162286043 CET	49716	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:16.162893057 CET	49716	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:16.162930965 CET	443	49716	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:16.341800928 CET	49717	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:16.341840029 CET	443	49717	34.160.144.191	192.168.2.7
Nov 23, 2024 17:45:16.341980934 CET	49717	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:16.342154980 CET	49717	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:16.342170954 CET	443	49717	34.160.144.191	192.168.2.7
Nov 23, 2024 17:45:16.536389112 CET	80	49712	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:16.546118975 CET	443	49711	35.190.72.216	192.168.2.7
Nov 23, 2024 17:45:16.548165083 CET	49711	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:16.554914951 CET	49712	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:16.559824944 CET	49711	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:16.559869051 CET	443	49711	35.190.72.216	192.168.2.7
Nov 23, 2024 17:45:16.559933901 CET	49711	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:16.560060978 CET	443	49711	35.190.72.216	192.168.2.7
Nov 23, 2024 17:45:16.562530994 CET	49711	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:16.676536083 CET	80	49712	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:16.676604986 CET	49712	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:16.912941933 CET	443	49714	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:16.916342020 CET	49714	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:16.920200109 CET	49714	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:16.920211077 CET	443	49714	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:16.920269012 CET	49714	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:16.920475006 CET	443	49714	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:16.920835972 CET	49714	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:16.947707891 CET	443	49715	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:16.947798014 CET	49715	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:16.952383995 CET	49715	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:16.952392101 CET	443	49715	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:16.952452898 CET	49715	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:16.952656031 CET	443	49715	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:16.954308987 CET	49715	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:16.983496904 CET	49719	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:16.983521938 CET	443	49719	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:16.984277964 CET	49719	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:16.984401941 CET	49719	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:16.984411001 CET	443	49719	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:16.994272947 CET	49720	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:16.994318008 CET	443	49720	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:16.996130943 CET	49720	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:16.997443914 CET	49720	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:16.997461081 CET	443	49720	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:17.039182901 CET	49721	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:17.039197922 CET	443	49721	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:17.039262056 CET	49721	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:17.040535927 CET	49721	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:17.040548086 CET	443	49721	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:17.073445082 CET	443	49710	142.250.181.78	192.168.2.7
Nov 23, 2024 17:45:17.074453115 CET	443	49710	142.250.181.78	192.168.2.7
Nov 23, 2024 17:45:17.080801010 CET	49710	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:17.080815077 CET	443	49710	142.250.181.78	192.168.2.7
Nov 23, 2024 17:45:17.085352898 CET	49710	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:17.085376024 CET	443	49710	142.250.181.78	192.168.2.7
Nov 23, 2024 17:45:17.085442066 CET	49710	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:17.085644007 CET	443	49710	142.250.181.78	192.168.2.7
Nov 23, 2024 17:45:17.085704088 CET	49710	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:17.094615936 CET	443	49709	142.250.181.78	192.168.2.7
Nov 23, 2024 17:45:17.094697952 CET	49709	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:17.096456051 CET	443	49709	142.250.181.78	192.168.2.7
Nov 23, 2024 17:45:17.096523046 CET	49709	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:17.185146093 CET	49722	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:17.185312033 CET	49723	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:17.187484980 CET	49709	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:17.187520981 CET	443	49709	142.250.181.78	192.168.2.7
Nov 23, 2024 17:45:17.187552929 CET	49709	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:17.188101053 CET	443	49709	142.250.181.78	192.168.2.7
Nov 23, 2024 17:45:17.188282967 CET	49709	443	192.168.2.7	142.250.181.78
Nov 23, 2024 17:45:17.306040049 CET	80	49722	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:17.306075096 CET	80	49723	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:17.306129932 CET	49722	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:17.306277037 CET	49722	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:17.306379080 CET	49723	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:17.306483984 CET	49723	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:17.343285084 CET	49724	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:17.343337059 CET	443	49724	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:17.346512079 CET	49724	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:17.347901106 CET	49724	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:17.347915888 CET	443	49724	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:17.382910013 CET	443	49716	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:17.382999897 CET	49716	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:17.385859966 CET	49716	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:17.385878086 CET	443	49716	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:17.386224985 CET	443	49716	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:17.388586044 CET	49716	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:17.388668060 CET	49716	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:17.388781071 CET	443	49716	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:17.388864994 CET	49716	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:17.432672024 CET	80	49722	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:17.432809114 CET	80	49723	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:17.575870037 CET	443	49717	34.160.144.191	192.168.2.7
Nov 23, 2024 17:45:17.575954914 CET	49717	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:17.578351974 CET	49717	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:17.578370094 CET	443	49717	34.160.144.191	192.168.2.7
Nov 23, 2024 17:45:17.578597069 CET	443	49717	34.160.144.191	192.168.2.7
Nov 23, 2024 17:45:17.580620050 CET	49717	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:17.580729961 CET	49717	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:17.580773115 CET	443	49717	34.160.144.191	192.168.2.7
Nov 23, 2024 17:45:17.581105947 CET	49725	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:17.581181049 CET	443	49725	34.160.144.191	192.168.2.7
Nov 23, 2024 17:45:17.582222939 CET	49717	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:17.582222939 CET	49717	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:17.582287073 CET	49725	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:17.582881927 CET	49725	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:17.582916021 CET	443	49725	34.160.144.191	192.168.2.7
Nov 23, 2024 17:45:18.271814108 CET	443	49721	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:18.279347897 CET	443	49721	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:18.281833887 CET	49721	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:18.290890932 CET	49721	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:18.290899038 CET	443	49721	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:18.290985107 CET	49721	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:18.291198015 CET	443	49721	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:18.291254997 CET	49721	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:18.296570063 CET	443	49720	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:18.296715021 CET	49720	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:18.300802946 CET	49720	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:18.300802946 CET	49720	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:18.300816059 CET	443	49720	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:18.301170111 CET	49732	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:18.301202059 CET	443	49732	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:18.301369905 CET	49732	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:18.301393986 CET	443	49720	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:18.301542044 CET	49720	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:18.302743912 CET	49732	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:18.302755117 CET	443	49732	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:18.318303108 CET	443	49719	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:18.322964907 CET	49719	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:18.329797983 CET	49719	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:18.329808950 CET	443	49719	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:18.330560923 CET	443	49719	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:18.332586050 CET	49719	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:18.332644939 CET	49719	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:18.332946062 CET	443	49719	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:18.333044052 CET	49719	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:18.470058918 CET	80	49723	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:18.470288992 CET	49723	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:18.496279955 CET	49722	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:18.516936064 CET	80	49722	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:18.519319057 CET	49722	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:18.593919992 CET	49733	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:18.594144106 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:18.650321007 CET	443	49724	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:18.650386095 CET	49724	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:18.654558897 CET	49724	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:18.654570103 CET	443	49724	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:18.654623032 CET	49724	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:18.654742002 CET	443	49724	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:18.669708967 CET	49724	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:18.752454042 CET	80	49723	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:18.753607988 CET	49723	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:18.753624916 CET	80	49733	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:18.753681898 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:18.753716946 CET	49733	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:18.753863096 CET	49733	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:18.753957033 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:18.754034042 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:18.790988922 CET	49735	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:18.791042089 CET	443	49735	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:18.791462898 CET	49735	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:18.792778969 CET	49735	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:18.792807102 CET	443	49735	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:18.793109894 CET	49736	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:18.793174982 CET	443	49736	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:18.793349981 CET	49736	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:18.794680119 CET	49736	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:18.794713974 CET	443	49736	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:18.839472055 CET	443	49725	34.160.144.191	192.168.2.7
Nov 23, 2024 17:45:18.839658022 CET	49725	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:18.842806101 CET	49725	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:18.842819929 CET	443	49725	34.160.144.191	192.168.2.7
Nov 23, 2024 17:45:18.843065023 CET	443	49725	34.160.144.191	192.168.2.7
Nov 23, 2024 17:45:18.845098019 CET	49725	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:18.845170975 CET	49725	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:18.845246077 CET	443	49725	34.160.144.191	192.168.2.7
Nov 23, 2024 17:45:18.845347881 CET	49725	443	192.168.2.7	34.160.144.191
Nov 23, 2024 17:45:18.874777079 CET	80	49733	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:18.874854088 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:19.581248999 CET	443	49732	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:19.581338882 CET	49732	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:19.585989952 CET	49732	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:19.585989952 CET	49732	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:19.585998058 CET	443	49732	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:19.586131096 CET	443	49732	34.117.188.166	192.168.2.7
Nov 23, 2024 17:45:19.586196899 CET	49732	443	192.168.2.7	34.117.188.166
Nov 23, 2024 17:45:19.840910912 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:19.893632889 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:19.896513939 CET	80	49733	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:19.940538883 CET	49733	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:20.055807114 CET	443	49736	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:20.055892944 CET	49736	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:20.059829950 CET	49736	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:20.059868097 CET	443	49736	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:20.060000896 CET	49736	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:20.060116053 CET	443	49736	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:20.060273886 CET	49736	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:20.130311012 CET	443	49735	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:20.130410910 CET	49735	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:20.134764910 CET	49735	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:20.134779930 CET	443	49735	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:20.134870052 CET	49735	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:20.135011911 CET	443	49735	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:20.135067940 CET	49735	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:21.011243105 CET	49733	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:21.014866114 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:21.020939112 CET	49743	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:21.020977020 CET	443	49743	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:21.028117895 CET	49743	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:21.030608892 CET	49743	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:21.030623913 CET	443	49743	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:21.035726070 CET	49744	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:21.035758018 CET	443	49744	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:21.036705971 CET	49744	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:21.038091898 CET	49744	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:21.038105965 CET	443	49744	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:21.130733967 CET	80	49733	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:21.134403944 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:21.330343962 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:21.334940910 CET	49733	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:21.335599899 CET	80	49733	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:21.338855028 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:21.340493917 CET	49733	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:21.378257990 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:21.455625057 CET	80	49733	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:21.455683947 CET	49733	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:21.459147930 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:21.459228992 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:21.459392071 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:21.578840017 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:22.283982992 CET	443	49744	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:22.284185886 CET	49744	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:22.287837029 CET	49744	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:22.287847996 CET	443	49744	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:22.287887096 CET	49744	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:22.288042068 CET	443	49744	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:22.291392088 CET	49744	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:22.321990013 CET	443	49743	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:22.322024107 CET	443	49743	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:22.322063923 CET	49743	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:22.324596882 CET	49743	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:22.324611902 CET	443	49743	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:22.324817896 CET	443	49743	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:22.326591969 CET	49743	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:22.326661110 CET	49743	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:22.326729059 CET	443	49743	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:22.326924086 CET	49743	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:22.326924086 CET	49743	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:22.584464073 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:22.642076015 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:25.167167902 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:25.177850008 CET	49756	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:25.177890062 CET	443	49756	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:25.181175947 CET	49756	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:25.181457043 CET	49756	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:25.181476116 CET	443	49756	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:25.292531967 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:25.488004923 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:25.529015064 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:25.761897087 CET	49758	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:25.761936903 CET	443	49758	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:25.764384031 CET	49758	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:25.764672041 CET	49758	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:25.764692068 CET	443	49758	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:26.410942078 CET	443	49756	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:26.411163092 CET	49756	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:26.413429022 CET	49756	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:26.413444996 CET	443	49756	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:26.413764000 CET	443	49756	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:26.415491104 CET	49756	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:26.415564060 CET	49756	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:26.415676117 CET	443	49756	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:26.415791988 CET	49756	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:27.038420916 CET	443	49758	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:27.051326036 CET	49758	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:27.051336050 CET	443	49758	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:27.065152884 CET	49758	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:27.068686962 CET	49758	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:27.068698883 CET	443	49758	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:27.069048882 CET	443	49758	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:27.070813894 CET	49758	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:27.070895910 CET	49758	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:27.070966959 CET	443	49758	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:27.071099997 CET	49758	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:27.071115017 CET	49758	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:27.817429066 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:27.820230961 CET	49766	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:27.820326090 CET	443	49766	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:27.821352959 CET	49766	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:27.822719097 CET	49766	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:27.822770119 CET	443	49766	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:27.972951889 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:28.059214115 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:28.092534065 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:28.218660116 CET	49768	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:28.218698025 CET	443	49768	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:28.220587969 CET	49768	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:28.221860886 CET	49768	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:28.221877098 CET	443	49768	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:28.254513979 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:28.287924051 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:28.290911913 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:28.345550060 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:28.418308020 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:28.613785028 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:28.661987066 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:29.197726965 CET	443	49766	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:29.197807074 CET	49766	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:29.673998117 CET	443	49768	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:29.674268007 CET	49768	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:30.037965059 CET	49766	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:30.037998915 CET	443	49766	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:30.038059950 CET	49766	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:30.038259029 CET	443	49766	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:30.039643049 CET	49768	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:30.039666891 CET	443	49768	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:30.039709091 CET	49768	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:30.039876938 CET	49766	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:30.039884090 CET	443	49768	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:30.039935112 CET	49768	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:30.041680098 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:30.043601036 CET	49775	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:30.043621063 CET	443	49775	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:30.043694019 CET	49775	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:30.044951916 CET	49775	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:30.044965982 CET	443	49775	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:30.166826010 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:30.362272978 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:30.368750095 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:30.372476101 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:30.491303921 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:30.494982004 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:30.693031073 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:30.693387985 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:30.701984882 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:30.754303932 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:30.828356028 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:31.023718119 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:31.068939924 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:31.378417015 CET	443	49775	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:31.378515959 CET	49775	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:31.509988070 CET	49775	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:31.510015965 CET	443	49775	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:31.510103941 CET	49775	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:31.510298014 CET	443	49775	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:31.512303114 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:31.513117075 CET	49775	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:31.515238047 CET	49776	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:31.515286922 CET	443	49776	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:31.516731977 CET	49776	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:31.518163919 CET	49776	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:31.518178940 CET	443	49776	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:31.632105112 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:31.827339888 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:31.839173079 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:31.871406078 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:31.965584993 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:32.160505056 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:32.203438044 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:32.732234001 CET	443	49776	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:32.732312918 CET	49776	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:32.939539909 CET	49776	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:32.939587116 CET	443	49776	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:32.939625025 CET	49776	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:32.940140963 CET	443	49776	34.120.208.123	192.168.2.7
Nov 23, 2024 17:45:32.940208912 CET	49776	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:45:33.830425978 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:33.951601028 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:34.147217035 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:34.150994062 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:34.193684101 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:34.270684958 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:34.465991020 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:34.510148048 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:40.052305937 CET	49797	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:40.052336931 CET	443	49797	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:40.052414894 CET	49797	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:40.053814888 CET	49797	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:40.053828001 CET	443	49797	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:41.368216991 CET	443	49797	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:41.368311882 CET	49797	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:41.371968985 CET	49797	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:41.371974945 CET	443	49797	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:41.372064114 CET	49797	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:41.372230053 CET	443	49797	34.107.243.93	192.168.2.7
Nov 23, 2024 17:45:41.374073982 CET	49797	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:45:41.375806093 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:41.499162912 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:41.695307970 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:41.698590040 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:41.736198902 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:41.989079952 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:42.187406063 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:42.237653971 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:43.251255989 CET	49803	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:43.251370907 CET	443	49803	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:43.254061937 CET	49803	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:43.254307985 CET	49803	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:43.254347086 CET	443	49803	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:43.284291983 CET	49804	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:43.284322023 CET	443	49804	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:43.284969091 CET	49804	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:43.285121918 CET	49804	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:43.285136938 CET	443	49804	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:43.289321899 CET	49805	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:43.289330006 CET	443	49805	35.190.72.216	192.168.2.7
Nov 23, 2024 17:45:43.303608894 CET	49805	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:43.305809021 CET	49805	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:43.305819988 CET	443	49805	35.190.72.216	192.168.2.7
Nov 23, 2024 17:45:43.496552944 CET	49806	443	192.168.2.7	35.201.103.21
Nov 23, 2024 17:45:43.496588945 CET	443	49806	35.201.103.21	192.168.2.7
Nov 23, 2024 17:45:43.496819019 CET	49807	443	192.168.2.7	151.101.193.91
Nov 23, 2024 17:45:43.496829987 CET	443	49807	151.101.193.91	192.168.2.7
Nov 23, 2024 17:45:43.497220993 CET	49806	443	192.168.2.7	35.201.103.21
Nov 23, 2024 17:45:43.497247934 CET	49807	443	192.168.2.7	151.101.193.91
Nov 23, 2024 17:45:43.498771906 CET	49806	443	192.168.2.7	35.201.103.21
Nov 23, 2024 17:45:43.498790026 CET	443	49806	35.201.103.21	192.168.2.7
Nov 23, 2024 17:45:43.499049902 CET	49807	443	192.168.2.7	151.101.193.91
Nov 23, 2024 17:45:43.499059916 CET	443	49807	151.101.193.91	192.168.2.7
Nov 23, 2024 17:45:44.626676083 CET	443	49803	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:44.626821041 CET	49803	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.630594015 CET	49803	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.630637884 CET	443	49803	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:44.631529093 CET	443	49803	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:44.632920027 CET	49803	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.633048058 CET	443	49803	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:44.633057117 CET	49803	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.633078098 CET	443	49803	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:44.636091948 CET	49803	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.636092901 CET	49803	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.636092901 CET	49803	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.637830973 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:44.639084101 CET	443	49804	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:44.639285088 CET	49804	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:44.640279055 CET	443	49805	35.190.72.216	192.168.2.7
Nov 23, 2024 17:45:44.640290022 CET	443	49805	35.190.72.216	192.168.2.7
Nov 23, 2024 17:45:44.641239882 CET	49805	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:44.642270088 CET	49804	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:44.642275095 CET	443	49804	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:44.642487049 CET	443	49804	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:44.647718906 CET	49804	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:44.647805929 CET	49804	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:44.647830963 CET	443	49804	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:44.647917986 CET	49805	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:44.647921085 CET	443	49805	35.190.72.216	192.168.2.7
Nov 23, 2024 17:45:44.647994041 CET	49805	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:44.648036957 CET	443	49805	35.190.72.216	192.168.2.7
Nov 23, 2024 17:45:44.648371935 CET	49804	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:44.648385048 CET	49805	443	192.168.2.7	35.190.72.216
Nov 23, 2024 17:45:44.736213923 CET	443	49807	151.101.193.91	192.168.2.7
Nov 23, 2024 17:45:44.736367941 CET	49807	443	192.168.2.7	151.101.193.91
Nov 23, 2024 17:45:44.739223003 CET	49807	443	192.168.2.7	151.101.193.91
Nov 23, 2024 17:45:44.739238977 CET	443	49807	151.101.193.91	192.168.2.7
Nov 23, 2024 17:45:44.740170002 CET	443	49807	151.101.193.91	192.168.2.7
Nov 23, 2024 17:45:44.741880894 CET	49807	443	192.168.2.7	151.101.193.91
Nov 23, 2024 17:45:44.741977930 CET	49807	443	192.168.2.7	151.101.193.91
Nov 23, 2024 17:45:44.742316008 CET	443	49807	151.101.193.91	192.168.2.7
Nov 23, 2024 17:45:44.745018005 CET	49807	443	192.168.2.7	151.101.193.91
Nov 23, 2024 17:45:44.750667095 CET	49813	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.750698090 CET	443	49813	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:44.751127958 CET	49813	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.751241922 CET	49813	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.751259089 CET	443	49813	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:44.752788067 CET	49814	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.752813101 CET	443	49814	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:44.753585100 CET	49814	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.753736019 CET	49814	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.753748894 CET	443	49814	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:44.754903078 CET	49815	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.754911900 CET	443	49815	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:44.755168915 CET	49815	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.755264997 CET	49815	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:44.755276918 CET	443	49815	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:44.758730888 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:44.773155928 CET	443	49806	35.201.103.21	192.168.2.7
Nov 23, 2024 17:45:44.773237944 CET	49806	443	192.168.2.7	35.201.103.21
Nov 23, 2024 17:45:44.777308941 CET	49806	443	192.168.2.7	35.201.103.21
Nov 23, 2024 17:45:44.777319908 CET	443	49806	35.201.103.21	192.168.2.7
Nov 23, 2024 17:45:44.777405977 CET	49806	443	192.168.2.7	35.201.103.21
Nov 23, 2024 17:45:44.777453899 CET	443	49806	35.201.103.21	192.168.2.7
Nov 23, 2024 17:45:44.780183077 CET	49806	443	192.168.2.7	35.201.103.21
Nov 23, 2024 17:45:44.781382084 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:44.781414032 CET	443	49816	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:44.782046080 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:44.782193899 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:44.782208920 CET	443	49816	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:44.955918074 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:44.959573030 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:45.014615059 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:45.082393885 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:45.277360916 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:45.331085920 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:46.000756979 CET	443	49813	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:46.000871897 CET	49813	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.005109072 CET	49813	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.005121946 CET	443	49813	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:46.005409956 CET	443	49813	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:46.008665085 CET	49813	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.008831024 CET	49813	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.008852005 CET	443	49813	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:46.009038925 CET	49813	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.016347885 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:46.037892103 CET	443	49815	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:46.038033009 CET	49815	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.042033911 CET	49815	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.042042971 CET	443	49815	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:46.042586088 CET	443	49815	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:46.045598030 CET	49815	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.045705080 CET	49815	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.046010971 CET	443	49815	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:46.046081066 CET	49815	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.078480005 CET	443	49814	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:46.078573942 CET	49814	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.082390070 CET	49814	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.082398891 CET	443	49814	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:46.082712889 CET	443	49814	35.244.181.201	192.168.2.7
Nov 23, 2024 17:45:46.085885048 CET	49814	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.085999966 CET	49814	443	192.168.2.7	35.244.181.201
Nov 23, 2024 17:45:46.111406088 CET	443	49816	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:46.111511946 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:46.115747929 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:46.115777016 CET	443	49816	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:46.116106033 CET	443	49816	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:46.119410038 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:46.119523048 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:46.119585037 CET	443	49816	34.149.100.209	192.168.2.7
Nov 23, 2024 17:45:46.120428085 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 17:45:46.152714014 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:46.349224091 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:46.353573084 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:46.396658897 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:46.474577904 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:46.694896936 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:46.735321999 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:56.353081942 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:56.472980022 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:45:56.707573891 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:45:56.829091072 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:01.543363094 CET	49853	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:01.543432951 CET	443	49853	34.107.243.93	192.168.2.7
Nov 23, 2024 17:46:01.543953896 CET	49853	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:01.546029091 CET	49853	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:01.546046019 CET	443	49853	34.107.243.93	192.168.2.7
Nov 23, 2024 17:46:02.802194118 CET	443	49853	34.107.243.93	192.168.2.7
Nov 23, 2024 17:46:02.802526951 CET	49853	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:02.809597969 CET	49853	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:02.809606075 CET	443	49853	34.107.243.93	192.168.2.7
Nov 23, 2024 17:46:02.809756994 CET	443	49853	34.107.243.93	192.168.2.7
Nov 23, 2024 17:46:02.809761047 CET	49853	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:02.809768915 CET	443	49853	34.107.243.93	192.168.2.7
Nov 23, 2024 17:46:02.813514948 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:02.938510895 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:03.015366077 CET	443	49853	34.107.243.93	192.168.2.7
Nov 23, 2024 17:46:03.015466928 CET	49853	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:03.133610010 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:03.137253046 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:03.191606998 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:03.256747007 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:03.452116013 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:03.492538929 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:13.136921883 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:13.263261080 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:13.442255974 CET	49883	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.442293882 CET	443	49883	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:13.442423105 CET	49884	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.442445993 CET	443	49884	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:13.442562103 CET	49885	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.442608118 CET	443	49885	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:13.442652941 CET	49886	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.442671061 CET	443	49886	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:13.442758083 CET	49887	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.442764997 CET	443	49887	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:13.442873001 CET	49888	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.442905903 CET	443	49888	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:13.442998886 CET	49883	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.443016052 CET	49885	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.443021059 CET	49886	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.443022013 CET	49884	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.443201065 CET	49888	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.443203926 CET	49887	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.443206072 CET	49883	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.443222046 CET	443	49883	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:13.443372011 CET	49888	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.443381071 CET	443	49888	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:13.443411112 CET	49887	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.443427086 CET	443	49887	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:13.443484068 CET	49886	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.443510056 CET	443	49886	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:13.443555117 CET	49885	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.443567038 CET	443	49885	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:13.443619967 CET	49884	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:13.443641901 CET	443	49884	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:13.453301907 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:13.573210001 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:14.669877052 CET	443	49886	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.669956923 CET	49886	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.672799110 CET	49886	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.672806025 CET	443	49886	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.673032045 CET	443	49886	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.673675060 CET	443	49885	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.673783064 CET	49885	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.675734997 CET	49885	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.675754070 CET	443	49885	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.676089048 CET	443	49885	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.678078890 CET	49886	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.678174019 CET	49886	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.678216934 CET	443	49886	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.678560972 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.678589106 CET	443	49893	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.679249048 CET	49885	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.679303885 CET	49885	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.679413080 CET	443	49885	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.679712057 CET	49886	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.679739952 CET	49885	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.679891109 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.679891109 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.679924011 CET	443	49893	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.680111885 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.680145979 CET	443	49894	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.680918932 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.680918932 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.680951118 CET	443	49894	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.682432890 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:14.717924118 CET	443	49887	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.717997074 CET	49887	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.720741034 CET	49887	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.720756054 CET	443	49887	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.721024036 CET	443	49887	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.723077059 CET	49887	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.723077059 CET	49887	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.723239899 CET	443	49887	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.723843098 CET	49887	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.723860979 CET	49887	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.725480080 CET	443	49888	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.725545883 CET	49888	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.726157904 CET	443	49884	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.728146076 CET	49888	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.728163958 CET	443	49888	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.728732109 CET	443	49888	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.730154037 CET	49888	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.730367899 CET	443	49888	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.731017113 CET	49888	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.731034040 CET	443	49888	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.731364012 CET	443	49884	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.735156059 CET	49888	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.735183954 CET	49888	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.735183954 CET	49888	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.735306025 CET	49884	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.741975069 CET	49884	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.741981030 CET	443	49884	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.743243933 CET	443	49884	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.744539022 CET	49884	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.744664907 CET	49884	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.744904041 CET	443	49884	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.745156050 CET	49884	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.766577005 CET	443	49883	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.766649961 CET	49883	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.769730091 CET	49883	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.769741058 CET	443	49883	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.770056963 CET	443	49883	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.772619963 CET	49883	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.772702932 CET	49883	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.772788048 CET	443	49883	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:14.773175955 CET	49883	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:14.802140951 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:15.018081903 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:15.021454096 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:15.071409941 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:15.141119003 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:15.335875988 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:15.388003111 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:15.897669077 CET	443	49893	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:15.897845984 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:15.901328087 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:15.901339054 CET	443	49893	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:15.901721001 CET	443	49893	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:15.904015064 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:15.904155970 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:15.904232025 CET	443	49893	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:15.904375076 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:15.907479048 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:15.987829924 CET	443	49894	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:15.987963915 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:15.991111994 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:15.991121054 CET	443	49894	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:15.991369963 CET	443	49894	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:15.993269920 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:15.993381023 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:15.993418932 CET	443	49894	34.120.208.123	192.168.2.7
Nov 23, 2024 17:46:15.993591070 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:15.993606091 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 17:46:16.087229967 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:16.282402039 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:16.285988092 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:16.343964100 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:16.407543898 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:16.603634119 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:16.644404888 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:26.288487911 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:26.408116102 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:26.605251074 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:26.725476980 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:36.419868946 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:36.539639950 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:36.736449957 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:36.856235027 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:43.030864000 CET	49955	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:43.030972958 CET	443	49955	34.107.243.93	192.168.2.7
Nov 23, 2024 17:46:43.031297922 CET	49955	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:43.032860994 CET	49955	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:43.032897949 CET	443	49955	34.107.243.93	192.168.2.7
Nov 23, 2024 17:46:44.317943096 CET	443	49955	34.107.243.93	192.168.2.7
Nov 23, 2024 17:46:44.318186045 CET	49955	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:44.324028969 CET	49955	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:44.324059010 CET	443	49955	34.107.243.93	192.168.2.7
Nov 23, 2024 17:46:44.324151039 CET	49955	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:44.324212074 CET	443	49955	34.107.243.93	192.168.2.7
Nov 23, 2024 17:46:44.325149059 CET	49955	443	192.168.2.7	34.107.243.93
Nov 23, 2024 17:46:44.327338934 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:44.496398926 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:44.715080023 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:44.719193935 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:44.766345978 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:44.839852095 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:45.034383059 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:45.082772970 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:54.725652933 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:54.845412970 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:46:55.042020082 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:46:55.162462950 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:47:04.855171919 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:47:04.976871014 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:47:05.171765089 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:47:05.291515112 CET	80	49745	34.107.221.82	192.168.2.7
Nov 23, 2024 17:47:14.980235100 CET	49734	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:47:15.102411032 CET	80	49734	34.107.221.82	192.168.2.7
Nov 23, 2024 17:47:15.296690941 CET	49745	80	192.168.2.7	34.107.221.82
Nov 23, 2024 17:47:15.416291952 CET	80	49745	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 17:45:15.158072948 CET	55133	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.163842916 CET	63272	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.295351982 CET	53	55133	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:15.300452948 CET	53730	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.300973892 CET	49534	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.304780960 CET	61974	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.437772989 CET	53	53730	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:15.438247919 CET	61911	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.442337990 CET	53	61974	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:15.442800045 CET	56654	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.448474884 CET	52758	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.477902889 CET	60330	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.581006050 CET	53	61911	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:15.581043005 CET	53	56654	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:15.586711884 CET	53	52758	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:15.587990046 CET	51438	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.608546019 CET	53	49534	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:15.609059095 CET	50178	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.615531921 CET	53	60330	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:15.617430925 CET	51051	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.727082968 CET	53	51438	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:15.727705002 CET	58174	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.757805109 CET	53	51051	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:15.762269020 CET	51059	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:15.864916086 CET	53	50178	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:15.868469954 CET	53	58174	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:15.901695967 CET	53	51059	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:16.160099030 CET	59279	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:16.197567940 CET	57656	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:16.299365997 CET	53	59279	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:16.299910069 CET	63793	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:16.341013908 CET	53	57656	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:16.341900110 CET	56619	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:16.447604895 CET	53	63793	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:16.499556065 CET	53	56619	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:16.500053883 CET	59979	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:16.529874086 CET	50539	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:16.637692928 CET	53	59979	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:16.672822952 CET	50745	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:16.812880993 CET	53	50745	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:16.829122066 CET	55775	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:16.833750963 CET	63420	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:16.973752022 CET	53	55775	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:16.977657080 CET	53	63420	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:16.980623007 CET	53632	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:16.982814074 CET	56810	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:17.039485931 CET	50546	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:17.127701998 CET	53	56810	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:17.128217936 CET	58856	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:17.176651001 CET	53	50546	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:17.177150011 CET	60369	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:17.265703917 CET	53	58856	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:17.272499084 CET	53	64454	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:17.315629005 CET	53	60369	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:18.628556967 CET	62974	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:18.775266886 CET	53	62974	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:18.792489052 CET	50671	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:18.929632902 CET	53	50671	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:18.930428982 CET	54033	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:19.069374084 CET	53	54033	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:20.958005905 CET	57653	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:21.128128052 CET	53	57653	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:21.134790897 CET	61979	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:21.374017954 CET	53	61979	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:21.374680996 CET	49867	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:21.514492035 CET	53	49867	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:25.178248882 CET	63008	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:25.338514090 CET	53	63008	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:27.819619894 CET	51944	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:27.820172071 CET	63041	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:27.820777893 CET	49932	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:28.077091932 CET	53	63041	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:28.077126026 CET	53	49932	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:28.078530073 CET	53	51944	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:28.217961073 CET	57794	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:28.218184948 CET	51479	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:28.218672037 CET	62781	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:28.355398893 CET	53	51479	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:28.355686903 CET	53	62781	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:28.356045961 CET	55674	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:28.356535912 CET	64474	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:28.357727051 CET	53	57794	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:28.377487898 CET	60821	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:28.518835068 CET	53	55674	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:28.518981934 CET	53	60821	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:28.519421101 CET	53	64474	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:28.925647974 CET	57247	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:28.926471949 CET	53223	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:28.926692009 CET	64000	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:29.113981009 CET	53	64000	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:29.114670992 CET	53101	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:29.114932060 CET	53	57247	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:29.115272999 CET	53	53223	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:29.247067928 CET	50432	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:29.305711985 CET	53	53101	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:29.388252974 CET	53	50432	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:29.394061089 CET	52554	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:29.606777906 CET	53	52554	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:30.033324003 CET	55175	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:30.043632030 CET	65101	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:30.183943033 CET	53	55175	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:30.187758923 CET	64660	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:30.189830065 CET	53	65101	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:30.330760002 CET	53	64660	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:40.052855968 CET	53580	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:40.195475101 CET	53	53580	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:41.376362085 CET	53564	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:41.517576933 CET	53	53564	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:43.252480984 CET	50382	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:43.282978058 CET	53551	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:43.290179968 CET	51890	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:43.475455046 CET	53	50382	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:43.495376110 CET	53	53551	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:43.495448112 CET	53	51890	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:43.497093916 CET	54333	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:43.497234106 CET	65421	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:43.642050982 CET	53	54333	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:43.643404961 CET	53	65421	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:43.658888102 CET	54507	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:43.659306049 CET	61838	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:45:43.801227093 CET	53	54507	1.1.1.1	192.168.2.7
Nov 23, 2024 17:45:43.803602934 CET	53	61838	1.1.1.1	192.168.2.7
Nov 23, 2024 17:46:01.391323090 CET	62645	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:46:01.541954994 CET	53	62645	1.1.1.1	192.168.2.7
Nov 23, 2024 17:46:01.543746948 CET	55100	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:46:01.688072920 CET	53	55100	1.1.1.1	192.168.2.7
Nov 23, 2024 17:46:02.813918114 CET	49877	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:46:13.442847967 CET	52092	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:46:13.580194950 CET	53	52092	1.1.1.1	192.168.2.7
Nov 23, 2024 17:46:43.031212091 CET	56048	53	192.168.2.7	1.1.1.1
Nov 23, 2024 17:46:43.171473980 CET	53	56048	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 17:45:15.158072948 CET	192.168.2.7	1.1.1.1	0xe6c7	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.163842916 CET	192.168.2.7	1.1.1.1	0x805	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.300452948 CET	192.168.2.7	1.1.1.1	0x4d67	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.300973892 CET	192.168.2.7	1.1.1.1	0xb5e4	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.304780960 CET	192.168.2.7	1.1.1.1	0xcfb9	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.438247919 CET	192.168.2.7	1.1.1.1	0x58ac	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 23, 2024 17:45:15.442800045 CET	192.168.2.7	1.1.1.1	0x4d9b	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 17:45:15.448474884 CET	192.168.2.7	1.1.1.1	0x43c9	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.477902889 CET	192.168.2.7	1.1.1.1	0x8806	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.587990046 CET	192.168.2.7	1.1.1.1	0x52ab	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.609059095 CET	192.168.2.7	1.1.1.1	0x16ea	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 17:45:15.617430925 CET	192.168.2.7	1.1.1.1	0xa90	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.727705002 CET	192.168.2.7	1.1.1.1	0x24ac	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 17:45:15.762269020 CET	192.168.2.7	1.1.1.1	0xdc52	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 17:45:16.160099030 CET	192.168.2.7	1.1.1.1	0x9255	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.197567940 CET	192.168.2.7	1.1.1.1	0x7d68	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.299910069 CET	192.168.2.7	1.1.1.1	0xf8f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 17:45:16.341900110 CET	192.168.2.7	1.1.1.1	0xcbd5	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.500053883 CET	192.168.2.7	1.1.1.1	0x2c9c	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 17:45:16.529874086 CET	192.168.2.7	1.1.1.1	0xacbb	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.672822952 CET	192.168.2.7	1.1.1.1	0x61b6	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.829122066 CET	192.168.2.7	1.1.1.1	0xace2	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.833750963 CET	192.168.2.7	1.1.1.1	0x15b6	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.980623007 CET	192.168.2.7	1.1.1.1	0xa70a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.982814074 CET	192.168.2.7	1.1.1.1	0x55ce	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:17.039485931 CET	192.168.2.7	1.1.1.1	0x1cbb	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:17.128217936 CET	192.168.2.7	1.1.1.1	0x90ac	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 17:45:17.177150011 CET	192.168.2.7	1.1.1.1	0x33d7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 17:45:18.628556967 CET	192.168.2.7	1.1.1.1	0x19a2	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:18.792489052 CET	192.168.2.7	1.1.1.1	0x6a8b	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:18.930428982 CET	192.168.2.7	1.1.1.1	0x19a1	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 17:45:20.958005905 CET	192.168.2.7	1.1.1.1	0x567c	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:21.134790897 CET	192.168.2.7	1.1.1.1	0xa520	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:21.374680996 CET	192.168.2.7	1.1.1.1	0x8752	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 17:45:25.178248882 CET	192.168.2.7	1.1.1.1	0xd7da	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 17:45:27.819619894 CET	192.168.2.7	1.1.1.1	0x1139	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:27.820172071 CET	192.168.2.7	1.1.1.1	0x5176	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:27.820777893 CET	192.168.2.7	1.1.1.1	0xeb7a	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.217961073 CET	192.168.2.7	1.1.1.1	0x6d52	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.218184948 CET	192.168.2.7	1.1.1.1	0xa688	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.218672037 CET	192.168.2.7	1.1.1.1	0x571d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 17:45:28.356045961 CET	192.168.2.7	1.1.1.1	0xaf89	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 23, 2024 17:45:28.356535912 CET	192.168.2.7	1.1.1.1	0x52e5	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.377487898 CET	192.168.2.7	1.1.1.1	0xd3b1	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 23, 2024 17:45:28.925647974 CET	192.168.2.7	1.1.1.1	0xff61	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.926471949 CET	192.168.2.7	1.1.1.1	0x8abe	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.926692009 CET	192.168.2.7	1.1.1.1	0x2614	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:29.114670992 CET	192.168.2.7	1.1.1.1	0x1107	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 23, 2024 17:45:29.247067928 CET	192.168.2.7	1.1.1.1	0x15d2	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:29.394061089 CET	192.168.2.7	1.1.1.1	0xd126	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 23, 2024 17:45:30.033324003 CET	192.168.2.7	1.1.1.1	0x62bf	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:30.043632030 CET	192.168.2.7	1.1.1.1	0x3d71	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 17:45:30.187758923 CET	192.168.2.7	1.1.1.1	0xeb6f	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 23, 2024 17:45:40.052855968 CET	192.168.2.7	1.1.1.1	0x9053	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 17:45:41.376362085 CET	192.168.2.7	1.1.1.1	0x1ff	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.252480984 CET	192.168.2.7	1.1.1.1	0x4cdc	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 17:45:43.282978058 CET	192.168.2.7	1.1.1.1	0x4263	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.290179968 CET	192.168.2.7	1.1.1.1	0x780c	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.497093916 CET	192.168.2.7	1.1.1.1	0x36dd	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.497234106 CET	192.168.2.7	1.1.1.1	0x3ccd	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.658888102 CET	192.168.2.7	1.1.1.1	0xa801	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 17:45:43.659306049 CET	192.168.2.7	1.1.1.1	0x89f	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 23, 2024 17:46:01.391323090 CET	192.168.2.7	1.1.1.1	0xa887	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:46:01.543746948 CET	192.168.2.7	1.1.1.1	0x3b29	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 17:46:02.813918114 CET	192.168.2.7	1.1.1.1	0x5c20	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:46:13.442847967 CET	192.168.2.7	1.1.1.1	0xe42f	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 17:46:43.031212091 CET	192.168.2.7	1.1.1.1	0x5eff	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 17:45:15.295351982 CET	1.1.1.1	192.168.2.7	0xe6c7	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.295608997 CET	1.1.1.1	192.168.2.7	0xc701	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.303133965 CET	1.1.1.1	192.168.2.7	0x805	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:15.303133965 CET	1.1.1.1	192.168.2.7	0x805	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.437772989 CET	1.1.1.1	192.168.2.7	0x4d67	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.442337990 CET	1.1.1.1	192.168.2.7	0xcfb9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.581006050 CET	1.1.1.1	192.168.2.7	0x58ac	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 23, 2024 17:45:15.581043005 CET	1.1.1.1	192.168.2.7	0x4d9b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 17:45:15.586711884 CET	1.1.1.1	192.168.2.7	0x43c9	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.608546019 CET	1.1.1.1	192.168.2.7	0xb5e4	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.615531921 CET	1.1.1.1	192.168.2.7	0x8806	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:15.615531921 CET	1.1.1.1	192.168.2.7	0x8806	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.625790119 CET	1.1.1.1	192.168.2.7	0x5c4b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:15.625790119 CET	1.1.1.1	192.168.2.7	0x5c4b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.727082968 CET	1.1.1.1	192.168.2.7	0x52ab	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:15.757805109 CET	1.1.1.1	192.168.2.7	0xa90	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.299365997 CET	1.1.1.1	192.168.2.7	0x9255	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.341013908 CET	1.1.1.1	192.168.2.7	0x7d68	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:16.341013908 CET	1.1.1.1	192.168.2.7	0x7d68	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:16.341013908 CET	1.1.1.1	192.168.2.7	0x7d68	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.499556065 CET	1.1.1.1	192.168.2.7	0xcbd5	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.637692928 CET	1.1.1.1	192.168.2.7	0x2c9c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 17:45:16.742177963 CET	1.1.1.1	192.168.2.7	0xacbb	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:16.812880993 CET	1.1.1.1	192.168.2.7	0x61b6	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.812880993 CET	1.1.1.1	192.168.2.7	0x61b6	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.973752022 CET	1.1.1.1	192.168.2.7	0xace2	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.974544048 CET	1.1.1.1	192.168.2.7	0xb73c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:16.974544048 CET	1.1.1.1	192.168.2.7	0xb73c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:16.977657080 CET	1.1.1.1	192.168.2.7	0x15b6	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:17.038367987 CET	1.1.1.1	192.168.2.7	0xcb34	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:17.125778913 CET	1.1.1.1	192.168.2.7	0xa70a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:17.125778913 CET	1.1.1.1	192.168.2.7	0xa70a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:17.127701998 CET	1.1.1.1	192.168.2.7	0x55ce	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:17.176651001 CET	1.1.1.1	192.168.2.7	0x1cbb	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:18.773679972 CET	1.1.1.1	192.168.2.7	0x9760	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:18.775266886 CET	1.1.1.1	192.168.2.7	0x19a2	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:18.775266886 CET	1.1.1.1	192.168.2.7	0x19a2	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:18.929632902 CET	1.1.1.1	192.168.2.7	0x6a8b	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:21.128128052 CET	1.1.1.1	192.168.2.7	0x567c	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:21.128128052 CET	1.1.1.1	192.168.2.7	0x567c	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:21.128128052 CET	1.1.1.1	192.168.2.7	0x567c	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:21.374017954 CET	1.1.1.1	192.168.2.7	0xa520	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.077091932 CET	1.1.1.1	192.168.2.7	0x5176	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:28.077091932 CET	1.1.1.1	192.168.2.7	0x5176	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.077091932 CET	1.1.1.1	192.168.2.7	0x5176	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.077091932 CET	1.1.1.1	192.168.2.7	0x5176	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.077091932 CET	1.1.1.1	192.168.2.7	0x5176	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.077091932 CET	1.1.1.1	192.168.2.7	0x5176	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.077091932 CET	1.1.1.1	192.168.2.7	0x5176	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.077091932 CET	1.1.1.1	192.168.2.7	0x5176	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.077126026 CET	1.1.1.1	192.168.2.7	0xeb7a	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:28.077126026 CET	1.1.1.1	192.168.2.7	0xeb7a	No error (0)	star-mini.c10r.facebook.com		157.240.195.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.078530073 CET	1.1.1.1	192.168.2.7	0x1139	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.355398893 CET	1.1.1.1	192.168.2.7	0xa688	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.355398893 CET	1.1.1.1	192.168.2.7	0xa688	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.355398893 CET	1.1.1.1	192.168.2.7	0xa688	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.355398893 CET	1.1.1.1	192.168.2.7	0xa688	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.355398893 CET	1.1.1.1	192.168.2.7	0xa688	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.355398893 CET	1.1.1.1	192.168.2.7	0xa688	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.355398893 CET	1.1.1.1	192.168.2.7	0xa688	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.357727051 CET	1.1.1.1	192.168.2.7	0x6d52	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:28.518835068 CET	1.1.1.1	192.168.2.7	0xaf89	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 17:45:28.518835068 CET	1.1.1.1	192.168.2.7	0xaf89	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 17:45:28.518835068 CET	1.1.1.1	192.168.2.7	0xaf89	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 17:45:28.518835068 CET	1.1.1.1	192.168.2.7	0xaf89	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 17:45:28.518981934 CET	1.1.1.1	192.168.2.7	0xd3b1	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 23, 2024 17:45:28.519421101 CET	1.1.1.1	192.168.2.7	0x52e5	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:28.519421101 CET	1.1.1.1	192.168.2.7	0x52e5	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:29.113981009 CET	1.1.1.1	192.168.2.7	0x2614	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:29.114932060 CET	1.1.1.1	192.168.2.7	0xff61	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:29.114932060 CET	1.1.1.1	192.168.2.7	0xff61	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:29.114932060 CET	1.1.1.1	192.168.2.7	0xff61	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:29.114932060 CET	1.1.1.1	192.168.2.7	0xff61	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:29.114932060 CET	1.1.1.1	192.168.2.7	0xff61	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:29.115272999 CET	1.1.1.1	192.168.2.7	0x8abe	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:29.305711985 CET	1.1.1.1	192.168.2.7	0x1107	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 23, 2024 17:45:29.388252974 CET	1.1.1.1	192.168.2.7	0x15d2	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:29.388252974 CET	1.1.1.1	192.168.2.7	0x15d2	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:29.388252974 CET	1.1.1.1	192.168.2.7	0x15d2	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:29.388252974 CET	1.1.1.1	192.168.2.7	0x15d2	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:30.183943033 CET	1.1.1.1	192.168.2.7	0x62bf	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:30.183943033 CET	1.1.1.1	192.168.2.7	0x62bf	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:30.183943033 CET	1.1.1.1	192.168.2.7	0x62bf	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:30.183943033 CET	1.1.1.1	192.168.2.7	0x62bf	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:41.517576933 CET	1.1.1.1	192.168.2.7	0x1ff	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.495376110 CET	1.1.1.1	192.168.2.7	0x4263	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.495376110 CET	1.1.1.1	192.168.2.7	0x4263	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.495376110 CET	1.1.1.1	192.168.2.7	0x4263	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.495376110 CET	1.1.1.1	192.168.2.7	0x4263	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.495448112 CET	1.1.1.1	192.168.2.7	0x780c	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:43.495448112 CET	1.1.1.1	192.168.2.7	0x780c	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.642050982 CET	1.1.1.1	192.168.2.7	0x36dd	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.643404961 CET	1.1.1.1	192.168.2.7	0x3ccd	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.643404961 CET	1.1.1.1	192.168.2.7	0x3ccd	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.643404961 CET	1.1.1.1	192.168.2.7	0x3ccd	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.643404961 CET	1.1.1.1	192.168.2.7	0x3ccd	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:45:43.803602934 CET	1.1.1.1	192.168.2.7	0x89f	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 17:45:43.803602934 CET	1.1.1.1	192.168.2.7	0x89f	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 17:45:43.803602934 CET	1.1.1.1	192.168.2.7	0x89f	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 17:45:43.803602934 CET	1.1.1.1	192.168.2.7	0x89f	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 17:45:46.928077936 CET	1.1.1.1	192.168.2.7	0x288e	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:45:46.928077936 CET	1.1.1.1	192.168.2.7	0x288e	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:46:01.541954994 CET	1.1.1.1	192.168.2.7	0xa887	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:46:03.496615887 CET	1.1.1.1	192.168.2.7	0x5c20	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 17:46:03.496615887 CET	1.1.1.1	192.168.2.7	0x5c20	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 17:46:13.441041946 CET	1.1.1.1	192.168.2.7	0xac47	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49712	34.107.221.82	80	4512	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 17:45:15.448893070 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:45:16.536389112 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63593 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49722	34.107.221.82	80	4512	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 17:45:17.306277037 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:45:18.516936064 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56173 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49723	34.107.221.82	80	4512	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 17:45:17.306483984 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:45:18.470058918 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63595 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49733	34.107.221.82	80	4512	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 17:45:18.753863096 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:45:19.896513939 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56174 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:45:21.011243105 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:45:21.335599899 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56176 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49734	34.107.221.82	80	4512	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 17:45:18.754034042 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:45:19.840910912 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63596 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:45:21.014866114 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:45:21.330343962 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63598 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:45:25.167167902 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:45:25.488004923 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63602 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:45:27.972951889 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:45:28.287924051 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63605 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:45:30.041680098 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:45:30.362272978 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63607 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:45:30.372476101 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:45:30.693387985 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63607 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:45:31.512303114 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:45:31.827339888 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63608 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:45:33.830425978 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:45:34.147217035 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63610 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:45:41.375806093 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:45:41.695307970 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63618 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:45:44.637830973 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:45:44.955918074 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63621 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:45:46.016347885 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:45:46.349224091 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63623 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:45:56.353081942 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 17:46:02.813514948 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:46:03.133610010 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63639 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:46:13.136921883 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 17:46:14.682432890 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:46:15.018081903 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63651 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:46:15.907479048 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:46:16.282402039 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63653 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:46:26.288487911 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 17:46:36.419868946 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 17:46:44.327338934 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 17:46:44.715080023 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 63681 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 17:46:54.725652933 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 17:47:04.855171919 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 17:47:14.980235100 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49745	34.107.221.82	80	4512	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 17:45:21.459392071 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:45:22.584464073 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56177 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:45:27.817429066 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:45:28.254513979 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56183 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:45:28.290911913 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:45:28.613785028 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56183 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:45:30.368750095 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:45:30.693031073 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56185 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:45:30.701984882 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:45:31.023718119 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56185 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:45:31.839173079 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:45:32.160505056 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56187 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:45:34.150994062 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:45:34.465991020 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56189 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:45:41.698590040 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:45:42.187406063 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56197 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:45:44.959573030 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:45:45.277360916 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56200 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:45:46.353573084 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:45:46.694896936 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56201 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:45:56.707573891 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 17:46:03.137253046 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:46:03.452116013 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56218 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:46:13.453301907 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 17:46:15.021454096 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:46:15.335875988 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56230 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:46:16.285988092 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:46:16.603634119 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56231 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:46:26.605251074 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 17:46:36.736449957 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 17:46:44.719193935 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 17:46:45.034383059 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 56259 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 17:46:55.042020082 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 17:47:05.171765089 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 17:47:15.296690941 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	4
Start time:	11:45:07
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x4a0000
File size:	922'624 bytes
MD5 hash:	B607F667B23F2E1A00ED1246555F3F09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:45:07
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xaa0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:45:07
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:45:09
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xaa0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:45:09
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:45:10
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xaa0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:45:10
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:45:10
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xaa0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:45:10
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:45:10
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xaa0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:45:10
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:45:11
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:45:11
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:45:11
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	11:45:12
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a8b3303-1cda-4aeb-916b-d80e871d8579} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2366dc6e310 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	11:45:13
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4092 -parentBuildID 20230927232528 -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f858d9a-ddf6-4353-9a58-09ef593d3a72} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2367fce9f10 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	11:45:17
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3224 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4960 -prefMapHandle 3488 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cba64bda-c318-453b-92d6-3178d6fad286} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 23685e59110 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.7%
Total number of Nodes:	1557
Total number of Limit Nodes:	65

Executed Functions

Function 004A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004A430D

Part of subcall function 004A6B57: _wcslen.LIBCMT ref: 004A6B6A

GetCurrentProcess.KERNEL32(?,0053CB64,00000000,?,?), ref: 004A4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 004A4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 004A4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004A4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 004A4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 004A447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004A44A0

Strings

GetNativeSystemInfo, xrefs: 004A4460
|O, xrefs: 004E36F8
kernel32.dll, xrefs: 004A444F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9ba754613ef61da48530283de08c7b1ab1ea68cf9dc65d72ca84ad6c2af4620a
Instruction ID: f1b17dc3ac0bd3101752a8e6de6e7e17edc01f46627b67af4cbbbb61e3f23cc8
Opcode Fuzzy Hash: 9ba754613ef61da48530283de08c7b1ab1ea68cf9dc65d72ca84ad6c2af4620a
Instruction Fuzzy Hash: 0BA1F46190AAD0CFC722CF7D7C441993FA46BB6342B144C9AE08C97B61D268458DFB2E

Function 004A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004A50AA,?,?,00000000,00000000), ref: 004A42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004A50AA,?,?,00000000,00000000), ref: 004A42C9
LoadResource.KERNEL32(?,00000000,?,?,004A50AA,?,?,00000000,00000000,?,?,?,?,?,?,004A4F20), ref: 004E35BE
SizeofResource.KERNEL32(?,00000000,?,?,004A50AA,?,?,00000000,00000000,?,?,?,?,?,?,004A4F20), ref: 004E35D3
LockResource.KERNEL32(004A50AA,?,?,004A50AA,?,?,00000000,00000000,?,?,?,?,?,?,004A4F20,?), ref: 004E35E6

Strings

SCRIPT, xrefs: 004A42BF

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8db060ede86dbac02a3aaa05d412330d1d606582ea438ec744ed5dca66e96ed2
Instruction ID: 831b7e1b2b45b1998f080b0eba292b158958855ba80c1b1727f0ccbe82c5549d
Opcode Fuzzy Hash: 8db060ede86dbac02a3aaa05d412330d1d606582ea438ec744ed5dca66e96ed2
Instruction Fuzzy Hash: 48117C76240700BFD7218BA5DC48F2B7FB9EBD6B91F1081AAF402E6290DBB1D8049720

Function 004E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 004A2B6B

Part of subcall function 004A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00571418,?,004A2E7F,?,?,?,00000000), ref: 004A3A78

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00562224), ref: 004E2C10
ShellExecuteW.SHELL32(00000000,?,?,00562224), ref: 004E2C17

Strings

runas, xrefs: 004E2C0B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: e56c294636815bfb4ca49dbaf202771df84796358761bce2ea8b513c50ceac33
Instruction ID: 7af89389b7ee9ffa576f76cf187c017bbe8ce45e525500de7e7217099fe69dd1
Opcode Fuzzy Hash: e56c294636815bfb4ca49dbaf202771df84796358761bce2ea8b513c50ceac33
Instruction Fuzzy Hash: 5E1124311083415BCB04FF2AE8519BE7BA4ABB7349F04442FF046131A2DF6C9A0EE71A

Function 0050D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0050D501
Process32FirstW.KERNEL32(00000000,?), ref: 0050D50F
Process32NextW.KERNEL32(00000000,?), ref: 0050D52F
CloseHandle.KERNELBASE(00000000), ref: 0050D5DC

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 777940fd05be276f01676eafd53cb178f58961d69554fd5a157df480d0de799e
Instruction ID: 5723248bc7db3aecc18b048e99b50277c4a4511e9c91e48c8bf054788fdda138
Opcode Fuzzy Hash: 777940fd05be276f01676eafd53cb178f58961d69554fd5a157df480d0de799e
Instruction Fuzzy Hash: 3A3181711083009FD300EF54CC85AAFBFF8EFAA358F14092DF581961A1EB759949DBA2

Function 0050DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,004E5222), ref: 0050DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0050DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0050DBEE
FindClose.KERNEL32(00000000), ref: 0050DBFA

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: f45303fbec2bd5dabcfee42c0239059dc0d3577df619a0f10c4c23d9060e87af
Instruction ID: f90c8514a5d436b908a2d7a6a62028dac96a96f475aea42fb41ec6634af4dee4
Opcode Fuzzy Hash: f45303fbec2bd5dabcfee42c0239059dc0d3577df619a0f10c4c23d9060e87af
Instruction Fuzzy Hash: 2CF0A03181092057D2206BB8AC0D8AF3F7CBF41334B104702F876D22E0EBB05D58DAA5

Function 004C4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004D28E9,?,004C4CBE,004D28E9,005688B8,0000000C,004C4E15,004D28E9,00000002,00000000,?,004D28E9), ref: 004C4D09
TerminateProcess.KERNEL32(00000000,?,004C4CBE,004D28E9,005688B8,0000000C,004C4E15,004D28E9,00000002,00000000,?,004D28E9), ref: 004C4D10
ExitProcess.KERNEL32 ref: 004C4D22

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8ecf1b22b5ccf821d0318d2adddbd69bf33cdf3ec1e4cce1ba2a9446ba1daacb
Instruction ID: a6818c641dd7cb799aadae6e8d994d15e70c6f69a620edea9be4dee0dd738047
Opcode Fuzzy Hash: 8ecf1b22b5ccf821d0318d2adddbd69bf33cdf3ec1e4cce1ba2a9446ba1daacb
Instruction Fuzzy Hash: E2E04635000108ABCF61BF20DE1AF893F29EB91795B004419FC069B322CB39DD42EB84

Function 004ABF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#W, xrefs: 004F07CE

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#W
API String ID: 3964851224-3759538804
Opcode ID: 2b2dbbedc6f6d7641e3f7e4a26f3b294dbd621ca2eb93e9d5bc4def0597d0776
Instruction ID: 43fb46618f4edbe08fab0eb3bdbee3cefbe2fe302ae40b9580a94f2f521e56be
Opcode Fuzzy Hash: 2b2dbbedc6f6d7641e3f7e4a26f3b294dbd621ca2eb93e9d5bc4def0597d0776
Instruction Fuzzy Hash: 85A26C70A083019FD750DF14C480B6BBBE1BF9A304F14896EE99A8B352D779EC45CB96

Function 0052AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0052B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0052B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0052B1D4
_wcslen.LIBCMT ref: 0052B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0052B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0052B236
_wcslen.LIBCMT ref: 0052B332

Part of subcall function 005105A7: GetStdHandle.KERNEL32(000000F6), ref: 005105C6

_wcslen.LIBCMT ref: 0052B34B
_wcslen.LIBCMT ref: 0052B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0052B3B6
GetLastError.KERNEL32(00000000), ref: 0052B407
CloseHandle.KERNEL32(?), ref: 0052B439
CloseHandle.KERNEL32(00000000), ref: 0052B44A
CloseHandle.KERNEL32(00000000), ref: 0052B45C
CloseHandle.KERNEL32(00000000), ref: 0052B46E
CloseHandle.KERNEL32(?), ref: 0052B4E3

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 31f5c92e908e9cd256331a3f40451ff988bf57ae8ad5eaa27907c8bec557f632
Instruction ID: 76ddd686d60b19f1673ed13a3f7505597f5142358565f80d73472b4d1774c962
Opcode Fuzzy Hash: 31f5c92e908e9cd256331a3f40451ff988bf57ae8ad5eaa27907c8bec557f632
Instruction Fuzzy Hash: A0F1AC315043109FD724EF25D895B6ABBE1BF86314F14885EF8958B2A2CB35EC44CB92

Function 004AD730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004AD807
timeGetTime.WINMM ref: 004ADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004ADB28
TranslateMessage.USER32(?), ref: 004ADB7B
DispatchMessageW.USER32(?), ref: 004ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004ADB9F
Sleep.KERNELBASE(0000000A), ref: 004ADBB1

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 1d14f7bc97090e306ed2c8d70799bf3b4336341865f38d749b2a4bb244a0b0ee
Instruction ID: 0558248c1314f5f21dbe213e45e17cd89fcdda0b51efa97fa43a82ef23f00507
Opcode Fuzzy Hash: 1d14f7bc97090e306ed2c8d70799bf3b4336341865f38d749b2a4bb244a0b0ee
Instruction Fuzzy Hash: 99421170A04245DFD728CF24C844BBBBBA4BF66304F04451FE556877A1D7B8E884DB9A

Function 004A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004A2D07
RegisterClassExW.USER32(00000030), ref: 004A2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004A2D42
InitCommonControlsEx.COMCTL32(?), ref: 004A2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004A2D6F
LoadIconW.USER32(000000A9), ref: 004A2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004A2D94

Strings

TaskbarCreated, xrefs: 004A2D37
0, xrefs: 004A2CE9
+, xrefs: 004A2CF0
AutoIt v3 GUI, xrefs: 004A2D23

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cac9fdc5912f7a31f36abffce4b19c1ed5461000d88661d2621066e12faec3f9
Instruction ID: a835218b24c6b3e72c69c7daf50eaf12af8193bca4031c379a9487ea86d89e11
Opcode Fuzzy Hash: cac9fdc5912f7a31f36abffce4b19c1ed5461000d88661d2621066e12faec3f9
Instruction Fuzzy Hash: 8521E4B5911208AFDB00DFA8E849BDDBFB4FB18700F00411AFA15B63A0D7B54588AFA4

Function 004E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004E039A: CreateFileW.KERNELBASE(00000000,00000000,?,004E0704,?,?,00000000,?,004E0704,00000000,0000000C), ref: 004E03B7

GetLastError.KERNEL32 ref: 004E076F
__dosmaperr.LIBCMT ref: 004E0776
GetFileType.KERNELBASE(00000000), ref: 004E0782
GetLastError.KERNEL32 ref: 004E078C
__dosmaperr.LIBCMT ref: 004E0795
CloseHandle.KERNEL32(00000000), ref: 004E07B5
CloseHandle.KERNEL32(?), ref: 004E08FF
GetLastError.KERNEL32 ref: 004E0931
__dosmaperr.LIBCMT ref: 004E0938

Strings

H, xrefs: 004E08BD

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 82c6a48274c6b9ee2508bad9fb0db37b0d15d30e26a4579cd1ca6999da1a2535
Instruction ID: f7b98b426be347f4dba6d4b4f514fd2923b13efd0c994d739c449a00dedc7ad3
Opcode Fuzzy Hash: 82c6a48274c6b9ee2508bad9fb0db37b0d15d30e26a4579cd1ca6999da1a2535
Instruction Fuzzy Hash: 23A15632A001848FDF19AF79D851BAE3BA0AB06325F14015EF825AB3D1C7798C97DB95

Function 004A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00571418,?,004A2E7F,?,?,?,00000000), ref: 004A3A78

Part of subcall function 004A3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004A3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004A356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004E318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004E31CE
RegCloseKey.ADVAPI32(?), ref: 004E3210
_wcslen.LIBCMT ref: 004E3277
_wcslen.LIBCMT ref: 004E3286

Strings

\Include\, xrefs: 004A3527
\, xrefs: 004E328C
Include, xrefs: 004E3184, 004E31C5
Software\AutoIt v3\AutoIt, xrefs: 004A3560

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: b9cacbe6a90b06de98b069cb4a1c4c14482119ba21a154323ff928b857734150
Instruction ID: 61f0a42a2ecadfb36d5e137890b359fc9f8554e7ec3d13b963c0275f0f7a2f75
Opcode Fuzzy Hash: b9cacbe6a90b06de98b069cb4a1c4c14482119ba21a154323ff928b857734150
Instruction Fuzzy Hash: EB7195714043009EC314DF66EC4595BBBE8FFA5744F40482FF589971A0EB789A88EB55

Function 004A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004A2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 004A2B9D
LoadIconW.USER32(00000063), ref: 004A2BB3
LoadIconW.USER32(000000A4), ref: 004A2BC5
LoadIconW.USER32(000000A2), ref: 004A2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004A2BEF
RegisterClassExW.USER32(?), ref: 004A2C40

Part of subcall function 004A2CD4: GetSysColorBrush.USER32(0000000F), ref: 004A2D07
Part of subcall function 004A2CD4: RegisterClassExW.USER32(00000030), ref: 004A2D31
Part of subcall function 004A2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004A2D42
Part of subcall function 004A2CD4: InitCommonControlsEx.COMCTL32(?), ref: 004A2D5F
Part of subcall function 004A2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004A2D6F
Part of subcall function 004A2CD4: LoadIconW.USER32(000000A9), ref: 004A2D85
Part of subcall function 004A2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004A2D94

Strings

#, xrefs: 004A2C16
AutoIt v3, xrefs: 004A2C2F
0, xrefs: 004A2C0F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1215aacba122c11196d7048110f5dd137ff4eef113c8fc169c7dc0a44f324c34
Instruction ID: 694cf8a6f11969d23634c0cb5bcf9832a9f478df385b978f93f0eeff35f044c5
Opcode Fuzzy Hash: 1215aacba122c11196d7048110f5dd137ff4eef113c8fc169c7dc0a44f324c34
Instruction Fuzzy Hash: A2213A71E00714ABDB109FAAFC45A997FB4FB18B50F00441AE508A67A0D3B50588FF98

Function 004A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,004A316A,?,?), ref: 004A31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,004A316A,?,?), ref: 004A3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004A3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,004A316A,?,?), ref: 004A3232
CreatePopupMenu.USER32 ref: 004A3246
PostQuitMessage.USER32(00000000), ref: 004A3267

Strings

TaskbarCreated, xrefs: 004A322D

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 46142ff64708dbefa900052ae863a29312e9b803e0f52e698e227cd7d3a35e2b
Instruction ID: 6e1780f8d0e0829c55480b77f2ebfe38a00c4cba537e983dd9ca569ce7b42e6c
Opcode Fuzzy Hash: 46142ff64708dbefa900052ae863a29312e9b803e0f52e698e227cd7d3a35e2b
Instruction Fuzzy Hash: 4B414A32240200A7DB141F7CAD0EB7A3E59E777346F04411BF906953A1EB6C9E45B76E

Function 004A1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004A1459
CoUninitialize.COMBASE ref: 004A14F8
UnregisterHotKey.USER32(?), ref: 004A16DD
DestroyWindow.USER32(?), ref: 004E24B9
FreeLibrary.KERNEL32(?), ref: 004E251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004E254B

Strings

close all, xrefs: 004A1454

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: cbb7200a131603e544818499dc1a2fecbb5bb7b626dc965e04e3b6a9a7675778
Instruction ID: 47f5ede655ac8e654f648aa4a15fabc1e6cd68a2bbaf885e610689a82c0404a5
Opcode Fuzzy Hash: cbb7200a131603e544818499dc1a2fecbb5bb7b626dc965e04e3b6a9a7675778
Instruction Fuzzy Hash: C7D1CF31701212DFCB19EF16CA99A29F7A4BF16304F14429EE44A6B361CB38ED12CF59

Function 004A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004A2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004A2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,004A1CAD,?), ref: 004A2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,004A1CAD,?), ref: 004A2CCF

Strings

AutoIt v3, xrefs: 004A2C89, 004A2C8E, 004A2C8F
edit, xrefs: 004A2CAC

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7e2de529a3abca172343c465645e4ba84eb7b121c42b6c0b38cb08e635e3e59a
Instruction ID: 3e93cea0217940c2ea01dd6d146e5bb0ca8f9fc350affbf2a8c3a9bd133817b2
Opcode Fuzzy Hash: 7e2de529a3abca172343c465645e4ba84eb7b121c42b6c0b38cb08e635e3e59a
Instruction Fuzzy Hash: CEF030765403907AE730072B7C09E773EBDD7D6F50F01045DF908A2260C6611888FA74

Function 004A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,004A3B0F,SwapMouseButtons,00000004,?), ref: 004A3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,004A3B0F,SwapMouseButtons,00000004,?), ref: 004A3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,004A3B0F,SwapMouseButtons,00000004,?), ref: 004A3B83

Strings

Control Panel\Mouse, xrefs: 004A3B3E

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e7360d752c37c4dad5da263c24d5bc080f294d1e10b126dc827ef11abd4f6b45
Instruction ID: 04ab529446f7a4bc03a1ff28e248d95522200585f980fe20f3e325eb143b2015
Opcode Fuzzy Hash: e7360d752c37c4dad5da263c24d5bc080f294d1e10b126dc827ef11abd4f6b45
Instruction Fuzzy Hash: D0115AB5510208FFDB208FA4DC88AAFBBB9EF11745B10445AB801E7211E335AE44A764

Function 004A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004E33A2

Part of subcall function 004A6B57: _wcslen.LIBCMT ref: 004A6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 004A3A04

Strings

Line: , xrefs: 004E33EB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 1c894ed1748cafa7dde40bacccb626146dd944344167035ea9bed298046c92b0
Instruction ID: 57edb716533d742a638eb1c239f53e2f8d71beff18852dbe0918b8276fe81c8d
Opcode Fuzzy Hash: 1c894ed1748cafa7dde40bacccb626146dd944344167035ea9bed298046c92b0
Instruction Fuzzy Hash: 0C310471408300AAC721EF25EC46FDBB7DCAB61719F00491FF49983191EB789A49D7CA

Function 004A2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 004E2C8C

Part of subcall function 004A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004A3A97,?,?,004A2E7F,?,?,?,00000000), ref: 004A3AC2

Part of subcall function 004A2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004A2DC4

Strings

X, xrefs: 004E2C5A
`eV, xrefs: 004E2C85

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eV
API String ID: 779396738-860154749
Opcode ID: 5457fb08aa746dbd412acfb91caee80dd887562b0e36bc32b5ecd2c7211746ba
Instruction ID: d9c6b706b71d21f80ec4d50a7aea002f1b706d541f2aa87f3f81e691345dd361
Opcode Fuzzy Hash: 5457fb08aa746dbd412acfb91caee80dd887562b0e36bc32b5ecd2c7211746ba
Instruction Fuzzy Hash: BB21C371A00298AFDB01DF99C945BEE7BFCAF59309F00405EE405A7241DBF85A898BA5

Function 004BFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004C0668

Part of subcall function 004C32A4: RaiseException.KERNEL32(?,?,?,004C068A,?,00571444,?,?,?,?,?,?,004C068A,004A1129,00568738,004A1129), ref: 004C3304

__CxxThrowException@8.LIBVCRUNTIME ref: 004C0685

Strings

Unknown exception, xrefs: 004C0692

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 00d40c60a8af9c34fdae2f240afef95b46095888abdc652580ee572bef7e42a6
Instruction ID: f6d34fdcb0f845833c6914bf59496475b96254eb388743b23fa724c3986b5e41
Opcode Fuzzy Hash: 00d40c60a8af9c34fdae2f240afef95b46095888abdc652580ee572bef7e42a6
Instruction Fuzzy Hash: 5EF0283890020CB78F40BA65DC46E9E7B6C6E00304B60453FB818C2591EF79DA1AC698

Function 004A10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 004A1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004A1BF4
Part of subcall function 004A1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 004A1BFC
Part of subcall function 004A1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004A1C07
Part of subcall function 004A1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004A1C12
Part of subcall function 004A1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 004A1C1A
Part of subcall function 004A1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 004A1C22

Part of subcall function 004A1B4A: RegisterWindowMessageW.USER32(00000004,?,004A12C4), ref: 004A1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004A136A
OleInitialize.OLE32 ref: 004A1388
CloseHandle.KERNEL32(00000000,00000000), ref: 004E24AB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3dc8cbb1198706df653d434776f9ef584a9bec22ba86b12ac30bdbc0c142ff50
Instruction ID: 271beffa5c520da87f5378b12f43b8d0ab1ba5aa9cca02147c6ee6bab6d8c716
Opcode Fuzzy Hash: 3dc8cbb1198706df653d434776f9ef584a9bec22ba86b12ac30bdbc0c142ff50
Instruction Fuzzy Hash: B871CBB5921A008EC788EF7EB9466553FE5FBA9344B04822ED00ED7261EB344488FF4D

Function 0050C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 004A3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0050C259
KillTimer.USER32(?,00000001,?,?), ref: 0050C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0050C270

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 38aa8d2a9b4d51881ba7dd33c5cb6ca422c22ca2cfd9361c41ac2616714db404
Instruction ID: 4f576ac4976607fd246c38a4e5e61c52215f044e35db7d0940ab78521e26288a
Opcode Fuzzy Hash: 38aa8d2a9b4d51881ba7dd33c5cb6ca422c22ca2cfd9361c41ac2616714db404
Instruction Fuzzy Hash: 7B31C374904744AFEB328F648855BEBBFECAF17308F00049EE5DAA7281C7745A88DB51

Function 004D86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004D85CC,?,00568CC8,0000000C), ref: 004D8704
GetLastError.KERNEL32(?,004D85CC,?,00568CC8,0000000C), ref: 004D870E
__dosmaperr.LIBCMT ref: 004D8739

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: da73af89a3782293d3cc3e20ea66ee12e416f3daf23ba0d3e9e6490b30891ede
Instruction ID: 84b41a63f15bfe0d54b98ca2942fe8828722d228e47c8ab406c64b0a47cca2ad
Opcode Fuzzy Hash: da73af89a3782293d3cc3e20ea66ee12e416f3daf23ba0d3e9e6490b30891ede
Instruction Fuzzy Hash: 02018E3260426026D62467356C65B7F2B998B91778F39011FFC089B3D3DEACCC81925C

Function 004ADB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 004ADB7B
DispatchMessageW.USER32(?), ref: 004ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004ADB9F
Sleep.KERNELBASE(0000000A), ref: 004ADBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 004F1CC9

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: ad314774ba02cab9a5ef000f014fa71796d62bff9c6758f7493058a6889b761f
Instruction ID: f003ba0ff5d58941765942851dfea43f3e56ed7d251ed3131b016582e6f852e2
Opcode Fuzzy Hash: ad314774ba02cab9a5ef000f014fa71796d62bff9c6758f7493058a6889b761f
Instruction Fuzzy Hash: A2F054306043449BE730C7619C45FEB77ACEB55310F10451AE65A931D0DB38A4489B2A

Function 004B1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004B17F6

Strings

CALL, xrefs: 004B17C6

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: b4f7c26dbaa9dce4834fb2a54fa878d692e602361ed82491c137f8743a4ecaf7
Instruction ID: eb8fe0d9f2c35a534a0692c59e452f1497fd670d2d0f5a990f4e74cb1195c80c
Opcode Fuzzy Hash: b4f7c26dbaa9dce4834fb2a54fa878d692e602361ed82491c137f8743a4ecaf7
Instruction Fuzzy Hash: 3E22AD70608301DFC714DF15C4A0A6ABBF1BF85318F54891EF59A8B361D739E845CBAA

Function 004A3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 004A3908

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 35b5f71ec38b42d8de3d426bb41892e8b5468f6246bca0eb9d2a85ea1e846eca
Instruction ID: 1f4f9d9d5effe39c259cb304a2b094aa2d37f393010403403d4780a47375f1ea
Opcode Fuzzy Hash: 35b5f71ec38b42d8de3d426bb41892e8b5468f6246bca0eb9d2a85ea1e846eca
Instruction Fuzzy Hash: 6831D4705047008FD720EF24D885797BBE8FB59709F00092FF59983340E779AA48DB5A

Function 004BF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004BF661

Part of subcall function 004AD730: GetInputState.USER32 ref: 004AD807

Sleep.KERNEL32(00000000), ref: 004FF2DE

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 0bb93d0ab257ce3edbf9ae8af6906c402a9902ad0921c90ebd188e2ee2208008
Instruction ID: b56b0c91733c74e2c62c321bdbe139bac68a306cefac667398f4339ac32ce6d1
Opcode Fuzzy Hash: 0bb93d0ab257ce3edbf9ae8af6906c402a9902ad0921c90ebd188e2ee2208008
Instruction Fuzzy Hash: 47F0E231240204AFC300EF29D805B6ABBE4FF26360F00402EE809C7361DB70A804CB94

Function 004A4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004A4EDD,?,00571418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004A4E9C
Part of subcall function 004A4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004A4EAE
Part of subcall function 004A4E90: FreeLibrary.KERNEL32(00000000,?,?,004A4EDD,?,00571418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004A4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00571418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004A4EFD

Part of subcall function 004A4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004E3CDE,?,00571418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004A4E62
Part of subcall function 004A4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004A4E74
Part of subcall function 004A4E59: FreeLibrary.KERNEL32(00000000,?,?,004E3CDE,?,00571418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004A4E87

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: cf58a50fd5349cb25ab18d757e5e3e2527dc0655a203850049f80400e2748f78
Instruction ID: 6d7832de1159a0837e755212f3bafcc8c1657eceb9144ec4a4aae97ed79d07cd
Opcode Fuzzy Hash: cf58a50fd5349cb25ab18d757e5e3e2527dc0655a203850049f80400e2748f78
Instruction Fuzzy Hash: 80110832600205AACB10AF62D806FEE77A4AFE5715F10441FF452A71C1DEB8AA059758

Function 004D8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004D8440

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 46ebb538be9934823eb1574db4ddd91eb34233cfb464b8ff4534902f48b15eca
Instruction ID: 2cef3d5bcf4a873c33c7a0dfb06f2f78bbeee64b11f49177574c0500451ccba8
Opcode Fuzzy Hash: 46ebb538be9934823eb1574db4ddd91eb34233cfb464b8ff4534902f48b15eca
Instruction Fuzzy Hash: 8E11487190410AAFCB05DF58E940AAF7BF4EF48304F10405AF808AB312EB30EA11CBA9

Function 004D5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004D4C7D: RtlAllocateHeap.NTDLL(00000008,004A1129,00000000,?,004D2E29,00000001,00000364,?,?,?,004CF2DE,004D3863,00571444,?,004BFDF5,?), ref: 004D4CBE

_free.LIBCMT ref: 004D506C

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: ee992159468e66cffecfe9ac9091c743e006b55794c174a981d4114e867429e5
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: E40149B22047046BE3328F65D891A5AFBECFB89370F25051FE184933C0EA74A805C7B8

Function 004CE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 679d3ddea48356fc5d846a3483956e4137d8f23192bf360196fd15c4779e0aed
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: DFF0D63A621A1096C6712A778C15F6B339C9F62338F10072FF421923D2DB7C940285AD

Function 004D4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,004A1129,00000000,?,004D2E29,00000001,00000364,?,?,?,004CF2DE,004D3863,00571444,?,004BFDF5,?), ref: 004D4CBE

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: be659cd94a2725d9d2967cf5037b592711394260cf5e6d96cf1952cdcbd5853d
Instruction ID: 9568dbe48ccbf1c5d2d70d78cea506b9a1e775403936bacac86e658f2f2bda77
Opcode Fuzzy Hash: be659cd94a2725d9d2967cf5037b592711394260cf5e6d96cf1952cdcbd5853d
Instruction Fuzzy Hash: 77F0BB3161212467DB215F629D15F573749AFD1B61B16412BB815A73C0CB78D8019698

Function 004D3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00571444,?,004BFDF5,?,?,004AA976,00000010,00571440,004A13FC,?,004A13C6,?,004A1129), ref: 004D3852

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b89f6d57ce44dcb73f5686904798b07bb82d05f030cf4d749e3e5767b20af041
Instruction ID: 9ac9737d8f09660636ca5ec9ac4b0e683a3433b9c0c15f30a5ee3060709f2274
Opcode Fuzzy Hash: b89f6d57ce44dcb73f5686904798b07bb82d05f030cf4d749e3e5767b20af041
Instruction Fuzzy Hash: 70E0E53510022456DA213E779C24F9B3ACAAB827B2F09003BBC04967C0CB5DDD01B2EF

Function 004A4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00571418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004A4F6D

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 01992dc6a3ae51c4ff220bd4f384bc761bf615e7a2c28618a573f352d5672394
Instruction ID: 739a743e2c4d44fdca7c8cf31559c6d4ca6f3e4ce78ecf27d5e0701333fb0755
Opcode Fuzzy Hash: 01992dc6a3ae51c4ff220bd4f384bc761bf615e7a2c28618a573f352d5672394
Instruction Fuzzy Hash: 59F0A071105341CFCB348F20D49081ABBE0AFA9319320997FF1DA82610C7B99844EF09

Function 00532A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00532A66

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 1112b00152da18e615bd6d1b65ff8981f1bd5d0dda241f272be1b1a1dd4f34a9
Instruction ID: febf5ab753f2eca784769abd9e49cd3d1e032399de5cab78b6b0420f930896ce
Opcode Fuzzy Hash: 1112b00152da18e615bd6d1b65ff8981f1bd5d0dda241f272be1b1a1dd4f34a9
Instruction Fuzzy Hash: E1E0DF32350516ABC710EA30EC848FE7F5CFF90390F000936EC16C2140DB30899586A0

Function 004A30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 004A314E

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: d3eb4c383ed1abef6e1432a0c9114bcda0cdb415f3f7cb95dea0d71510dbc587
Instruction ID: b4d5959122d45b6b0da5ff1dd67afa988e10f2d1ccec7cba5c44979e7285c764
Opcode Fuzzy Hash: d3eb4c383ed1abef6e1432a0c9114bcda0cdb415f3f7cb95dea0d71510dbc587
Instruction Fuzzy Hash: 1BF0A7709103049FEB529F24EC4A7D67BBCA71170CF0000E9A54C96292DB7447CCDF55

Function 004A2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004A2DC4

Part of subcall function 004A6B57: _wcslen.LIBCMT ref: 004A6B6A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0210e1e74c09537be1e977afa640b367613136c2092213b1558013c13e1e3fed
Instruction ID: 22cceea77d1615fd13eab62278083f4d04b84f9fdbce6240520ba176be715261
Opcode Fuzzy Hash: 0210e1e74c09537be1e977afa640b367613136c2092213b1558013c13e1e3fed
Instruction Fuzzy Hash: E7E0CD76A001345BC71192599C05FDA77DDDFC8794F050076FD0AE7258D974AD848694

Function 004A2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004A3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004A3908

Part of subcall function 004AD730: GetInputState.USER32 ref: 004AD807

SetCurrentDirectoryW.KERNEL32(?), ref: 004A2B6B

Part of subcall function 004A30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 004A314E

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 54f6346d701cb252051d5915e2be915fd76bf9d3146b0ff46bc3a38eb76af283
Instruction ID: d9b68f80771a2899ce86725f1d64a2c4c8b988c0b3d63f4883e1e4d844ae7484
Opcode Fuzzy Hash: 54f6346d701cb252051d5915e2be915fd76bf9d3146b0ff46bc3a38eb76af283
Instruction Fuzzy Hash: 3FE0262230420407CA08BF3AA8124BDA78A9BF335AF00543FF047432A2DE2C49495329

Function 004E039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,004E0704,?,?,00000000,?,004E0704,00000000,0000000C), ref: 004E03B7

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0435c3ad31bbcb1c3b24d7eec8b779902c4ce7cb8afeaf3acc018b4d7cf69bed
Instruction ID: e72a7749607ed2b2b752980436996ba84b587b152b48e4d11e984cbef029ef8d
Opcode Fuzzy Hash: 0435c3ad31bbcb1c3b24d7eec8b779902c4ce7cb8afeaf3acc018b4d7cf69bed
Instruction Fuzzy Hash: 4AD06C3204010DBBDF028F84DD06EDA3FAAFB48714F014000BE1866120C732E821EB90

Function 004A1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 004A1CBC

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 7059e0ddfe48d5c1213138bdcff4be54a1c4b9d1a187dfaffaf4e0a75e12b5cb
Instruction ID: ba01ca298d74cd90e0bdd423289a9654568e807a71259cd8312742421b9ef8aa
Opcode Fuzzy Hash: 7059e0ddfe48d5c1213138bdcff4be54a1c4b9d1a187dfaffaf4e0a75e12b5cb
Instruction Fuzzy Hash: 9AC09236280304EFF2148B94BC4EF107B64A368B01F048401F64DA96E3C3A228A8FB64

Non-executed Functions

Function 00539576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004B9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0053961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0053965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0053969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005396C9
SendMessageW.USER32 ref: 005396F2
GetKeyState.USER32(00000011), ref: 0053978B
GetKeyState.USER32(00000009), ref: 00539798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005397AE
GetKeyState.USER32(00000010), ref: 005397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005397E9
SendMessageW.USER32 ref: 00539810
SendMessageW.USER32(?,00001030,?,00537E95), ref: 00539918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0053992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00539941
SetCapture.USER32(?), ref: 0053994A
ClientToScreen.USER32(?,?), ref: 005399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005399D6
ReleaseCapture.USER32 ref: 005399E1
GetCursorPos.USER32(?), ref: 00539A19
ScreenToClient.USER32(?,?), ref: 00539A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00539A80
SendMessageW.USER32 ref: 00539AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00539AEB
SendMessageW.USER32 ref: 00539B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00539B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00539B4A
GetCursorPos.USER32(?), ref: 00539B68
ScreenToClient.USER32(?,?), ref: 00539B75
GetParent.USER32(?), ref: 00539B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00539BFA
SendMessageW.USER32 ref: 00539C2B
ClientToScreen.USER32(?,?), ref: 00539C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00539CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00539CDE
SendMessageW.USER32 ref: 00539D01
ClientToScreen.USER32(?,?), ref: 00539D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00539D82

Part of subcall function 004B9944: GetWindowLongW.USER32(?,000000EB), ref: 004B9952

GetWindowLongW.USER32(?,000000F0), ref: 00539E05

Strings

F, xrefs: 00539D07
p#W, xrefs: 00539990
@GUI_DRAGID, xrefs: 0053997D

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#W
API String ID: 3429851547-503726554
Opcode ID: 4936d990b89f1eed6ffef948e8871dbad10c4a851d0b238b4cca1bad09f7373d
Instruction ID: 90016a6284dd188761dd996f5d3a316ffd3c61a52ccbde6f0c801f007f15cc6b
Opcode Fuzzy Hash: 4936d990b89f1eed6ffef948e8871dbad10c4a851d0b238b4cca1bad09f7373d
Instruction Fuzzy Hash: 6C42BEB5205200AFDB20CF28CC45EAABFE5FF59310F100A1DF6999B2A1D7B1E854EB51

Function 00534873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00534908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00534927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0053494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0053495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0053497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00534A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00534A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00534A7E
IsMenu.USER32(?), ref: 00534A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00534AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00534B20
GetWindowLongW.USER32(?,000000F0), ref: 00534B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00534BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00534C82
wsprintfW.USER32 ref: 00534CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00534CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00534CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00534D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00534D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00534D5A

Strings

%d/%02d/%02d, xrefs: 00534CA8

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 07b54f478be665eb4270d5c803f1abcc806a829cdfd3825087ce22e73fad8285
Instruction ID: efa3f32bc252282aefe94500a92c36f5032f101df9ec4fc9f3f0cd701c6cb196
Opcode Fuzzy Hash: 07b54f478be665eb4270d5c803f1abcc806a829cdfd3825087ce22e73fad8285
Instruction Fuzzy Hash: 9B12DD71600214ABEB248F29CC4AFAE7FF8FF45314F144529F916EA2A1DB78A945CF50

Function 004BF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 004BF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004FF474
IsIconic.USER32(00000000), ref: 004FF47D
ShowWindow.USER32(00000000,00000009), ref: 004FF48A
SetForegroundWindow.USER32(00000000), ref: 004FF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004FF4AA
GetCurrentThreadId.KERNEL32 ref: 004FF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004FF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 004FF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 004FF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 004FF4DE
SetForegroundWindow.USER32(00000000), ref: 004FF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 004FF4F6
keybd_event.USER32(00000012,00000000), ref: 004FF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 004FF50B
keybd_event.USER32(00000012,00000000), ref: 004FF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 004FF519
keybd_event.USER32(00000012,00000000), ref: 004FF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 004FF528
keybd_event.USER32(00000012,00000000), ref: 004FF52D
SetForegroundWindow.USER32(00000000), ref: 004FF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 004FF557

Strings

Shell_TrayWnd, xrefs: 004FF46F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 4fd6302af20a17d6040a68b39361be349ab7ffb86a65543aa526ca7d32655ffb
Instruction ID: 1f7db34b7dc6387fa68b126a2b69e510b6a3226b03b2d34981cfd6ea7bd313a9
Opcode Fuzzy Hash: 4fd6302af20a17d6040a68b39361be349ab7ffb86a65543aa526ca7d32655ffb
Instruction Fuzzy Hash: 3D315E71A4021CBBEB206BB55C4AFBF7E6CEF54B50F100066FA01F62D1C6B59D04ABA5

Function 00501201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0050170D
Part of subcall function 005016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0050173A
Part of subcall function 005016C3: GetLastError.KERNEL32 ref: 0050174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00501286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005012A8
CloseHandle.KERNEL32(?), ref: 005012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005012D1
GetProcessWindowStation.USER32 ref: 005012EA
SetProcessWindowStation.USER32(00000000), ref: 005012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00501310

Part of subcall function 005010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005011FC), ref: 005010D4
Part of subcall function 005010BF: CloseHandle.KERNEL32(?,?,005011FC), ref: 005010E9

Strings

ZV, xrefs: 00501392
default, xrefs: 0050130B
winsta0, xrefs: 005012CC
, xrefs: 0050125A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZV
API String ID: 22674027-1908597597
Opcode ID: 3f28bc1caffd36efc7e97f6272f8e4af124520056ef5cd646acc2ae713819f34
Instruction ID: 51eca7b15197c7dfc3920f824bba0d60a6b73913cf8ddabf63e9e62afbfc873e
Opcode Fuzzy Hash: 3f28bc1caffd36efc7e97f6272f8e4af124520056ef5cd646acc2ae713819f34
Instruction Fuzzy Hash: 7F818871900609ABDF219FA8DC49FEE7FB9FF04704F144129F910B62A0D7758A58DB2A

Function 00500B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00501114
Part of subcall function 005010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00500B9B,?,?,?), ref: 00501120
Part of subcall function 005010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00500B9B,?,?,?), ref: 0050112F
Part of subcall function 005010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00500B9B,?,?,?), ref: 00501136
Part of subcall function 005010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0050114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00500BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00500C00
GetLengthSid.ADVAPI32(?), ref: 00500C17
GetAce.ADVAPI32(?,00000000,?), ref: 00500C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00500C6D
GetLengthSid.ADVAPI32(?), ref: 00500C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00500C8C
HeapAlloc.KERNEL32(00000000), ref: 00500C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00500CB4
CopySid.ADVAPI32(00000000), ref: 00500CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00500CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00500D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00500D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00500D45
HeapFree.KERNEL32(00000000), ref: 00500D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00500D55
HeapFree.KERNEL32(00000000), ref: 00500D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00500D65
HeapFree.KERNEL32(00000000), ref: 00500D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00500D78
HeapFree.KERNEL32(00000000), ref: 00500D7F

Part of subcall function 00501193: GetProcessHeap.KERNEL32(00000008,00500BB1,?,00000000,?,00500BB1,?), ref: 005011A1
Part of subcall function 00501193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00500BB1,?), ref: 005011A8
Part of subcall function 00501193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00500BB1,?), ref: 005011B7

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c50ce0bb09918ce5435f98d4be7402d1cf355476ab7e0a252e0fa754d3c2d0f0
Instruction ID: 5e7dfcce16bae18aa8165f8396c65f9b58002619dbe794c18c34d18253c536f3
Opcode Fuzzy Hash: c50ce0bb09918ce5435f98d4be7402d1cf355476ab7e0a252e0fa754d3c2d0f0
Instruction Fuzzy Hash: F371477690020AABDF109FA4DC48BAEBFB8BF14310F144615E915F62D1D775AA09DBB0

Function 0051EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0053CC08), ref: 0051EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0051EB37
GetClipboardData.USER32(0000000D), ref: 0051EB43
CloseClipboard.USER32 ref: 0051EB4F
GlobalLock.KERNEL32(00000000), ref: 0051EB87
CloseClipboard.USER32 ref: 0051EB91
GlobalUnlock.KERNEL32(00000000), ref: 0051EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0051EBC9
GetClipboardData.USER32(00000001), ref: 0051EBD1
GlobalLock.KERNEL32(00000000), ref: 0051EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0051EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0051EC38
GetClipboardData.USER32(0000000F), ref: 0051EC44
GlobalLock.KERNEL32(00000000), ref: 0051EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0051EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0051EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0051ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0051ECF3
CountClipboardFormats.USER32 ref: 0051ED14
CloseClipboard.USER32 ref: 0051ED59

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 7fc141a89cb5cdbec0c551c46eaffe16eff077aa3439979ab5da938a8d22c4f6
Instruction ID: 25c14456feb5b574d86d3feef183b9851b10a9d8156b1446ee73d7ed0b27bb6d
Opcode Fuzzy Hash: 7fc141a89cb5cdbec0c551c46eaffe16eff077aa3439979ab5da938a8d22c4f6
Instruction Fuzzy Hash: E761E3352043019FE300EF24D88AFAA7FA4BF95714F08455DF856972A1DB31DD89DB62

Function 0051698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005169BE
FindClose.KERNEL32(00000000), ref: 00516A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00516A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00516A75

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00516AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00516ADF

Strings

%03d, xrefs: 00516DA2
%4d, xrefs: 00516BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00516B32
%02d, xrefs: 00516C00, 00516C0A, 00516C5A, 00516CAA, 00516CFA, 00516D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00516B6A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 0df802ca85fa2d9ddd5c9d318ce925a1220f92904e0940c20d4e111fdad3ab2e
Instruction ID: 76810c39256175d290ac044bbae3ec6a16100af4962d8fac03d72bf6f42bee4e
Opcode Fuzzy Hash: 0df802ca85fa2d9ddd5c9d318ce925a1220f92904e0940c20d4e111fdad3ab2e
Instruction Fuzzy Hash: B7D14271508300AEC710EBA5CC81EABB7ECBF99708F44491EF589D7191EB78DA48C762

Function 00519642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00519663
GetFileAttributesW.KERNEL32(?), ref: 005196A1
SetFileAttributesW.KERNEL32(?,?), ref: 005196BB
FindNextFileW.KERNEL32(00000000,?), ref: 005196D3
FindClose.KERNEL32(00000000), ref: 005196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0051974A
SetCurrentDirectoryW.KERNEL32(00566B7C), ref: 00519768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00519772
FindClose.KERNEL32(00000000), ref: 0051977F
FindClose.KERNEL32(00000000), ref: 0051978F

Strings

*.*, xrefs: 005196F5

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 75dbc26779c6b6bad636f6f515b1eea455fea530dff8283e0fb86878cc58925b
Instruction ID: 695103a025190b3f424aaabeeac536814646afdc304dddd5a0ca1e91cfca9a33
Opcode Fuzzy Hash: 75dbc26779c6b6bad636f6f515b1eea455fea530dff8283e0fb86878cc58925b
Instruction Fuzzy Hash: 3A31C2365002196AEB14AFB5DC18ADE7FACFF4A320F104596F815E31E0DB34DD848B64

Function 0051979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 005197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00519819
FindClose.KERNEL32(00000000), ref: 00519824
FindFirstFileW.KERNEL32(*.*,?), ref: 00519840
SetCurrentDirectoryW.KERNEL32(?), ref: 00519890
SetCurrentDirectoryW.KERNEL32(00566B7C), ref: 005198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005198B8
FindClose.KERNEL32(00000000), ref: 005198C5
FindClose.KERNEL32(00000000), ref: 005198D5

Part of subcall function 0050DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0050DB00

Strings

*.*, xrefs: 0051983B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 976bff3f92453a66e3524c700e0092f4aeea22b1581004ef1f5b7373702f97ab
Instruction ID: d7da3218893f4a9f7a706d40b77801102955bd3f914d87b604bb165b27ca4f36
Opcode Fuzzy Hash: 976bff3f92453a66e3524c700e0092f4aeea22b1581004ef1f5b7373702f97ab
Instruction Fuzzy Hash: F231B2365002197AEB10AFA4DC58ADE7FACBF46324F1045AAF854A31A0DB30D9898B64

Function 0052BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0052C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0052B6AE,?,?), ref: 0052C9B5
Part of subcall function 0052C998: _wcslen.LIBCMT ref: 0052C9F1
Part of subcall function 0052C998: _wcslen.LIBCMT ref: 0052CA68
Part of subcall function 0052C998: _wcslen.LIBCMT ref: 0052CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0052BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0052BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0052BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0052C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0052C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0052C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0052C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0052C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0052C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0052C382
RegCloseKey.ADVAPI32(00000000), ref: 0052C38F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 9da5e12f9ef06b7ff6e49cbd704b7f903a4aba60e863b88406e3538fe5bdc855
Instruction ID: d2ed7e089b204fbf52ef8eeec1015c39b873ef575303466639ea35f146eb0fd9
Opcode Fuzzy Hash: 9da5e12f9ef06b7ff6e49cbd704b7f903a4aba60e863b88406e3538fe5bdc855
Instruction Fuzzy Hash: CE025D71604210AFD714DF24D895E2ABBE5FF9A308F18889DF84ADB2A2D731EC45CB51

Function 00518195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00518257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00518267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00518273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00518310
SetCurrentDirectoryW.KERNEL32(?), ref: 00518324
SetCurrentDirectoryW.KERNEL32(?), ref: 00518356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0051838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00518395

Strings

*.*, xrefs: 0051839B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 99afc36fc2cc3e466a070549651c0a27aa2d763507af3b9ba4ca884e3d17a8f1
Instruction ID: e9b91e035d87b77afc9b34c354d887aa9e9f46f4edbe65fc1a48d51bc4d09906
Opcode Fuzzy Hash: 99afc36fc2cc3e466a070549651c0a27aa2d763507af3b9ba4ca884e3d17a8f1
Instruction Fuzzy Hash: 1861AB76504305AFD720EF21C8809AEB7E8FF89318F048D1EF99983251DB35E949CB92

Function 0050D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004A3A97,?,?,004A2E7F,?,?,?,00000000), ref: 004A3AC2

Part of subcall function 0050E199: GetFileAttributesW.KERNEL32(?,0050CF95), ref: 0050E19A

FindFirstFileW.KERNEL32(?,?), ref: 0050D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0050D1DD
MoveFileW.KERNEL32(?,?), ref: 0050D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0050D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0050D237

Part of subcall function 0050D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0050D21C,?,?), ref: 0050D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0050D253
FindClose.KERNEL32(00000000), ref: 0050D264

Strings

\*.*, xrefs: 0050D0CD, 0050D0D6, 0050D0EB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: d35195cbb3c9668b81b1c11f30403ccbc36886339011bacd4216c2bb59f4f186
Instruction ID: 6475240dc5f731d532aa4c80d28fb5a51889b279431028e5eb9b286db18b4d10
Opcode Fuzzy Hash: d35195cbb3c9668b81b1c11f30403ccbc36886339011bacd4216c2bb59f4f186
Instruction Fuzzy Hash: CB617E35C0111EAACF05EBE1CA929EEBBB5BF65344F24406AF40277191EB346F09DB64

Function 0051ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0051ED91
EmptyClipboard.USER32 ref: 0051ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0051EDAC
CloseClipboard.USER32 ref: 0051EEA3

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 746ebf1e26338d08025733ed4b42b7fb1805f5b4e533c817e4eabcc171e46094
Instruction ID: 578258706a8f3439e159d86198260ab1d5b57bf30194093fadee315a1cfd996e
Opcode Fuzzy Hash: 746ebf1e26338d08025733ed4b42b7fb1805f5b4e533c817e4eabcc171e46094
Instruction Fuzzy Hash: 4D41AE35204611AFE310CF29E88AB59BFE5BF54318F14C49DE8199B7A2C735EC81CB90

Function 0050E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0050170D
Part of subcall function 005016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0050173A
Part of subcall function 005016C3: GetLastError.KERNEL32 ref: 0050174A

ExitWindowsEx.USER32(?,00000000), ref: 0050E932

Strings

, xrefs: 0050E95C
@, xrefs: 0050E925
SeShutdownPrivilege, xrefs: 0050E902
, xrefs: 0050E920

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d8f94234f2ea14d40081241c1f8e4ea98f2e1c7578b51def9fa340050ec8fdb1
Instruction ID: ea45bc578120b4097be95690c0f6d24f16bf46183f4eca0ff3ae67cde4b87d85
Opcode Fuzzy Hash: d8f94234f2ea14d40081241c1f8e4ea98f2e1c7578b51def9fa340050ec8fdb1
Instruction Fuzzy Hash: 9501D673610211ABEB6466B49C8BBBF7E5CB714750F254D21FC03F22D1D5A15C449294

Function 00521204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00521276
WSAGetLastError.WSOCK32 ref: 00521283
bind.WSOCK32(00000000,?,00000010), ref: 005212BA
WSAGetLastError.WSOCK32 ref: 005212C5
closesocket.WSOCK32(00000000), ref: 005212F4
listen.WSOCK32(00000000,00000005), ref: 00521303
WSAGetLastError.WSOCK32 ref: 0052130D
closesocket.WSOCK32(00000000), ref: 0052133C

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: da3c12af73bbf13d87c4022f83a93722132edebe0af06d2553f53372b63b3fea
Instruction ID: d848ffab4310d5088015cac49d13f610ba70b4472d8904fab4d5f4ce64f6e56b
Opcode Fuzzy Hash: da3c12af73bbf13d87c4022f83a93722132edebe0af06d2553f53372b63b3fea
Instruction Fuzzy Hash: AB418D35A00510AFD710DF25D488B2ABBE6BF66318F188488E8569F3D2C771ED85CBE0

Function 004DB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004DB9D4
_free.LIBCMT ref: 004DB9F8
_free.LIBCMT ref: 004DBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00543700), ref: 004DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0057121C,000000FF,00000000,0000003F,00000000,?,?), ref: 004DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00571270,000000FF,?,0000003F,00000000,?), ref: 004DBC36
_free.LIBCMT ref: 004DBD4B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 0ca3b4db92382e7c480281cbb22a0549de67d07c35483fe85810e67e91906fa3
Instruction ID: 47eb3343b74c654188d2c138db7ed5ac36651e197ce5056cb752a063e3d94275
Opcode Fuzzy Hash: 0ca3b4db92382e7c480281cbb22a0549de67d07c35483fe85810e67e91906fa3
Instruction Fuzzy Hash: A4C15875A00204EFCB209F6A9C61BAE7BE8EF51310F15419FE89497352EB389E4197D8

Function 0050D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004A3A97,?,?,004A2E7F,?,?,?,00000000), ref: 004A3AC2

Part of subcall function 0050E199: GetFileAttributesW.KERNEL32(?,0050CF95), ref: 0050E19A

FindFirstFileW.KERNEL32(?,?), ref: 0050D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0050D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0050D481
FindClose.KERNEL32(00000000), ref: 0050D498
FindClose.KERNEL32(00000000), ref: 0050D4A1

Strings

\*.*, xrefs: 0050D3F2

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e77b3cf7f468519a35348ef8812becb7da2398293d90a567119ebfd872346baf
Instruction ID: b4a4223ccaf4ea58203825c484c0844e817420e42749576c89b964cd20a5c1f5
Opcode Fuzzy Hash: e77b3cf7f468519a35348ef8812becb7da2398293d90a567119ebfd872346baf
Instruction Fuzzy Hash: 7C3170710083419BC700EF65D8518AFBBA8BFA6344F444E1EF4D153191EB78AA0DD767

Function 004DE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 004DE645

Strings

1#IND, xrefs: 004DF83D
1#INF, xrefs: 004DF852
1#QNAN, xrefs: 004DF84B
1#SNAN, xrefs: 004DF844

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c49cb63f869c752b3098f1836461e243be96fb2904df67ead1f106f69cf1a899
Instruction ID: cdc132c755d49c1306998caf7065d1c2d2f70f6d2cfc2a01a624daef1b612d6d
Opcode Fuzzy Hash: c49cb63f869c752b3098f1836461e243be96fb2904df67ead1f106f69cf1a899
Instruction Fuzzy Hash: 31C26771E086288BDB35DE299D507EAB7B5EB49304F1441EBD80EE7340E778AE858F44

Function 0051648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005164DC
CoInitialize.OLE32(00000000), ref: 00516639
CoCreateInstance.OLE32(0053FCF8,00000000,00000001,0053FB68,?), ref: 00516650
CoUninitialize.OLE32 ref: 005168D4

Strings

.lnk, xrefs: 005164BA, 00516524, 005165E0

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 06b10d2af6657a15ce49ba715293889db8e1fccd44dfaca004979935b4e6f5e6
Instruction ID: 2f1f7a9514666614156062f1645bb922239da8cdb9ff744ac5d58ece080bf01b
Opcode Fuzzy Hash: 06b10d2af6657a15ce49ba715293889db8e1fccd44dfaca004979935b4e6f5e6
Instruction Fuzzy Hash: F4D15A71508201AFD314EF25C881DABBBE9FFA5308F40496DF5958B291EB30ED45CB92

Function 005222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005222E8

Part of subcall function 0051E4EC: GetWindowRect.USER32(?,?), ref: 0051E504

GetDesktopWindow.USER32 ref: 00522312
GetWindowRect.USER32(00000000), ref: 00522319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00522355
GetCursorPos.USER32(?), ref: 00522381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005223DF

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: e0f2fa5e5ff90e084d81886a74cbcb0aa4ffcec19a3bbacae1eff53b60d38768
Instruction ID: bd757eab169b5dac153a992fdd3995a1f25abee6c76e9335770a894d0328ef20
Opcode Fuzzy Hash: e0f2fa5e5ff90e084d81886a74cbcb0aa4ffcec19a3bbacae1eff53b60d38768
Instruction Fuzzy Hash: 6031DE76504315AFDB20DF14D849B9BBBA9FF99310F000A19F985A7291DB34EA08CB92

Function 00519B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00519B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00519C8B

Part of subcall function 00513874: GetInputState.USER32 ref: 005138CB
Part of subcall function 00513874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00513966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00519BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00519C75

Strings

*.*, xrefs: 00519B5D

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 59f444fc34d8eeb22e7c3e9749b98f18e69a6dcf3d000be2befdcd848bcc663f
Instruction ID: a6d06a0e53d53b5bcdc91f72ac29c8d1a6c1f480621488fee5b7f410721bfeb9
Opcode Fuzzy Hash: 59f444fc34d8eeb22e7c3e9749b98f18e69a6dcf3d000be2befdcd848bcc663f
Instruction Fuzzy Hash: 62417F7190420A9FDF14DF64C895AEEBFB8FF15314F10405AE845A2291EB349E94CFA5

Function 004B997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 004B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004B9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 004B9A4E
GetSysColor.USER32(0000000F), ref: 004B9B23
SetBkColor.GDI32(?,00000000), ref: 004B9B36

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 018a0f9dd5ef9714c8c2b3a68f5460c26888f8210a05cd7e57d2363abc251b67
Instruction ID: d91b5736ca41ace9b8a38b737764e4bd77b145268dcd6cab7760bff43a74b843
Opcode Fuzzy Hash: 018a0f9dd5ef9714c8c2b3a68f5460c26888f8210a05cd7e57d2363abc251b67
Instruction Fuzzy Hash: 3FA11B70118448BEE724AA3D9C59DFB3A9DEB86350F14410BF302C6791CA6D9D42E27F

Function 00521806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0052304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0052307A
Part of subcall function 0052304E: _wcslen.LIBCMT ref: 0052309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0052185D
WSAGetLastError.WSOCK32 ref: 00521884
bind.WSOCK32(00000000,?,00000010), ref: 005218DB
WSAGetLastError.WSOCK32 ref: 005218E6
closesocket.WSOCK32(00000000), ref: 00521915

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 72a3d62d0b9bbd9ba343578e6b8ae0242e0792af04dbdfac0412042106de832f
Instruction ID: 55186609e13b0e60076ab04f247167d5b31260d007f3b5afaca61a351ab5c765
Opcode Fuzzy Hash: 72a3d62d0b9bbd9ba343578e6b8ae0242e0792af04dbdfac0412042106de832f
Instruction Fuzzy Hash: 5B51D371A00210AFDB10AF24D8C6F6A7BE5AF56718F08849DF9066F3C3C775AD418BA5

Function 00531C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00531CC0
IsWindowEnabled.USER32 ref: 00531CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00531CDB
IsIconic.USER32 ref: 00531CE9
IsZoomed.USER32 ref: 00531CF7

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d1c0cbc36cb587646e9ad3917d8d86d6751848cfc0db3b18462db33f43ef1451
Instruction ID: c9771c53c8831e0ec17bbe10801efa030e1d6e3575600895881b8ec10e7aeda7
Opcode Fuzzy Hash: d1c0cbc36cb587646e9ad3917d8d86d6751848cfc0db3b18462db33f43ef1451
Instruction Fuzzy Hash: 5221BF31740A059FD7208F2AC894B6A7FA5FF95315F189068E84A9B351CB71EC42CB98

Function 004A8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 004E5DF0
ERCP, xrefs: 004A813C
VUUU, xrefs: 004A843C
VUUU, xrefs: 004A83E8
VUUU, xrefs: 004A83FA

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 6411e73b255ce6c73244056ec204adb5d3923dd98f14487e723fce295f1d49c3
Instruction ID: 2817c5ce2aee7639e5b1e4e6fb773cf12f192f5d4764ec411525b83ea75eea5d
Opcode Fuzzy Hash: 6411e73b255ce6c73244056ec204adb5d3923dd98f14487e723fce295f1d49c3
Instruction Fuzzy Hash: C2A29C70E0025ACBDF24CF59C8407AEB7B1FB65315F2581ABD815A7381EB389D81CB99

Function 00508298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005082AA

Strings

|, xrefs: 005082DA
(, xrefs: 005082F0
tbV, xrefs: 005084F4

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbV$|
API String ID: 1659193697-2685671569
Opcode ID: 463d481a0454f680fb0c53c63a5a33f8191d8ea70b6a99c9e54fd703da3f61a6
Instruction ID: 8534dc0c33d3a34c8ee8762fd4a5c2bce8912e42e3f8bf9df5e8aeceaa320855
Opcode Fuzzy Hash: 463d481a0454f680fb0c53c63a5a33f8191d8ea70b6a99c9e54fd703da3f61a6
Instruction Fuzzy Hash: 3B322774A006059FCB28CF19C481EAABBF0FF48710B15C96EE59ADB3A1DB70E941CB44

Function 0050AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0050AAAC
SetKeyboardState.USER32(00000080), ref: 0050AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0050AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0050AB88

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: cae79d19c3bee768cddbcf9ba9aaf4178a563a04f0dcb8bb622f70da448db790
Instruction ID: 89c4bde00f29211ea6cc2aabe4ee1c47ab58a0107e4f8451e6a1096b1372c5db
Opcode Fuzzy Hash: cae79d19c3bee768cddbcf9ba9aaf4178a563a04f0dcb8bb622f70da448db790
Instruction Fuzzy Hash: 29311431A40348AEFF358B68CC09BFE7FAABB84310F08421AF081961D1D774C985D762

Function 0051CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0051CE89
GetLastError.KERNEL32(?,00000000), ref: 0051CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0051CEFE

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: da109754a9ead650cb507976a0f3269f12b560fb92bee5ae61474f61279e0fc1
Instruction ID: 4dbc9a56528fbe51a9f3bcd613d6670732a999feae484b783ef941aa1c963ebb
Opcode Fuzzy Hash: da109754a9ead650cb507976a0f3269f12b560fb92bee5ae61474f61279e0fc1
Instruction Fuzzy Hash: 2321ED71540305ABEB20DFA5C948BA7BFFCFB10308F10491EE542A2251E735EE898B94

Function 00515C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00515CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00515D17
FindClose.KERNEL32(?), ref: 00515D5F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: c44bb4568cd5337728b7b661960110bcc54cbcc9fae619f4f79bf8fdcfe80ca4
Instruction ID: b37cbb36d9c51bb47bfe0d19b6e3301aeb632543fec9c0662ebf0c86e7ebe0ad
Opcode Fuzzy Hash: c44bb4568cd5337728b7b661960110bcc54cbcc9fae619f4f79bf8fdcfe80ca4
Instruction Fuzzy Hash: 12519974604601DFD714CF28D484E9ABBE4FF8A318F14855EE99A8B3A1DB30ED84CB91

Function 004D2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004D271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004D2724
UnhandledExceptionFilter.KERNEL32(?), ref: 004D2731

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 919f71bff13a998dba15f8905de480b2515cf90fcbaa09f32cba81747506e1f8
Instruction ID: 5f71f5e34660db696bc24329952efa35b5148cd8c4fa803fe7704bc08e05ec42
Opcode Fuzzy Hash: 919f71bff13a998dba15f8905de480b2515cf90fcbaa09f32cba81747506e1f8
Instruction Fuzzy Hash: 1931D77590121CABCB61DF65DD88B9DBBB8AF18310F5041DAE81CA7260E7749F858F44

Function 005151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00515238
SetErrorMode.KERNEL32(00000000), ref: 005152A1

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: bc6c47e7460973885c9abd85024b03ec729932e0a681c891031e669fe0c1f9ac
Instruction ID: e5b9b63d826aef8f29a414a7cf7af2aa40d5f4641c6aaba6dade43356c606b99
Opcode Fuzzy Hash: bc6c47e7460973885c9abd85024b03ec729932e0a681c891031e669fe0c1f9ac
Instruction Fuzzy Hash: 0B313E75A00618DFDB00DF55D884EADBBB4FF59318F448099E805AB3A2DB35E859CB90

Function 005016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 004BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 004C0668
Part of subcall function 004BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 004C0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0050170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0050173A
GetLastError.KERNEL32 ref: 0050174A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 0d73b72d4468c66407126cc8204673ea93038354485712f9f7de9a95c2f7d97c
Instruction ID: abfe1b3a0ada58ef57129eb14856480f0946b4939308ba4dbb0c43b413242428
Opcode Fuzzy Hash: 0d73b72d4468c66407126cc8204673ea93038354485712f9f7de9a95c2f7d97c
Instruction Fuzzy Hash: 47119EB2504704AFD718AF54DC86DAEBBBDFB44754B20852EE05657281EB70FC458B24

Function 0050D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0050D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0050D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0050D650

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 0dc02479fa967e961b0a0b6fe64ba5ce48fb94a96edcf6858857cc111086ad70
Instruction ID: 6be9b52cdb727b6a026a37596be846937adc4520c109e04d8ebe5f76e2687f24
Opcode Fuzzy Hash: 0dc02479fa967e961b0a0b6fe64ba5ce48fb94a96edcf6858857cc111086ad70
Instruction Fuzzy Hash: 73117C75E01228BBDB108F949C44FAFBFBCEB45B50F108111F904E7290C2704A059BA1

Function 00501663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0050168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005016A1
FreeSid.ADVAPI32(?), ref: 005016B1

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8d396450ce08f07dd52392a91b37aaff9a1f47553d3075a01aad7fecf38f8bdb
Instruction ID: 9ed7fb4151037154a0b34a1b796f4bf700871f0bd0aeea5172afe6a55d87f3ae
Opcode Fuzzy Hash: 8d396450ce08f07dd52392a91b37aaff9a1f47553d3075a01aad7fecf38f8bdb
Instruction Fuzzy Hash: C2F0F47195030DFBDB00DFE49D89AAEBBBCFB08704F504565E501E2281E774AA489B54

Function 004DC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 004DC36C

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 0c461333a314c727d1fc793ad9c21ea7d5729df53f353d0a348b89b3d78f89d1
Instruction ID: 1ac0f1327d133309e17d87dc07c2fe7ec03d9aca5e71200250323898d656634c
Opcode Fuzzy Hash: 0c461333a314c727d1fc793ad9c21ea7d5729df53f353d0a348b89b3d78f89d1
Instruction Fuzzy Hash: 4541287690021A6BCB249FB9CC99EBB7779EB84314F1042AFF905D7380E6749D41CB58

Function 004FD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 004FD28C

Strings

X64, xrefs: 004FD2A8

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 1f8d784313d69e5045403ef42096dd439417c2a75496777282b789fbf42783b3
Instruction ID: 0cd327201331b3caaa128eaa38ce9b1a8718b7ad65b8a7d4385c541b89586f08
Opcode Fuzzy Hash: 1f8d784313d69e5045403ef42096dd439417c2a75496777282b789fbf42783b3
Instruction Fuzzy Hash: CBD0C9B480111DEACB94DB90DC8CDDDB77CBB14305F100192F106E2100D73495499F21

Function 004CCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 0f6b3457ec738b1654c6b769f0af7a90a4acb776bc9a8fd75c6ab8763fc243b0
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 70023B75E002199BDF54CFA9C980BAEBBF1EF49314F25816ED819E7380D735AE418B84

Function 004ACAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#W, xrefs: 004ACF7F
Variable is not of type 'Object'., xrefs: 004F0C40

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#W
API String ID: 0-2765910906
Opcode ID: 1bb473ace1ca8bf6a7cf20d567be4434cf121b0623cc5dbbac08ecfd2c41f249
Instruction ID: 459a324063ecda1f1c379fbe92a7169e6c27918e48f2be9c4a14128d90452134
Opcode Fuzzy Hash: 1bb473ace1ca8bf6a7cf20d567be4434cf121b0623cc5dbbac08ecfd2c41f249
Instruction Fuzzy Hash: 52327A70900218DFDF14DF90C984AFEB7B5BF66308F14405AE906AB382D739AD46CB69

Function 005168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00516918
FindClose.KERNEL32(00000000), ref: 00516961

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 28764e77498c21e0444403f70b1008c461aa25b671568bc2b5dc75a290384eea
Instruction ID: b6d0960201642d0e68b297940740aadf9ee4d5979641b5eef126cdbe86ec2a29
Opcode Fuzzy Hash: 28764e77498c21e0444403f70b1008c461aa25b671568bc2b5dc75a290384eea
Instruction Fuzzy Hash: A6117C356042109FD710DF2AD884A16BBE5FF85328F14C69EF8698B6A2C734EC45CB91

Function 005137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00524891,?,?,00000035,?), ref: 005137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00524891,?,?,00000035,?), ref: 005137F4

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d2590384f33ccb9c84b0f19ccbcd89b3720432e06c7a57806a8a823e23903dfc
Instruction ID: 45db2f7295798ae2df590e919f1072f92c88585f7848f7d1cfcc649c1dd50980
Opcode Fuzzy Hash: d2590384f33ccb9c84b0f19ccbcd89b3720432e06c7a57806a8a823e23903dfc
Instruction Fuzzy Hash: AAF0EC716043142AE71057664C4DFDB3E5DEFC5765F000575F509E22D1D9609D48C7B0

Function 0050B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0050B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0050B270

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 3007cc89c21c96612a080841df259811ce50949ae3222dd9b4747409e024e4e1
Instruction ID: 599f846481cc4be24e857103a0589defafb873470de58bc2779e2eb617904c32
Opcode Fuzzy Hash: 3007cc89c21c96612a080841df259811ce50949ae3222dd9b4747409e024e4e1
Instruction Fuzzy Hash: 44F01D7580424EABEB059FA0C805BAE7FB4FF14305F008409F955A5191C37986159F94

Function 005010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005011FC), ref: 005010D4
CloseHandle.KERNEL32(?,?,005011FC), ref: 005010E9

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 689ec948d0357fc41e9c15e7227131b81484b5299914b100c9b49234d704a3f1
Instruction ID: 822254bc999f679b31cbb8b3fbde040b5c774323980ba63ae5b18585daa4d17e
Opcode Fuzzy Hash: 689ec948d0357fc41e9c15e7227131b81484b5299914b100c9b49234d704a3f1
Instruction Fuzzy Hash: 04E0BF72014610AFE7252B51FC09EB77BE9EB04314B14882EF5A6905B1DB62ACA4EB64

Function 004D676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004D6766,?,?,00000008,?,?,004DFEFE,00000000), ref: 004D6998

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 664dc38948e42dd1cf2f16e9cb65e04d0e37bf727c8a3e0d1911d6cd5b75415e
Instruction ID: d852bbef5695602df3ffee58f933a11d8a4d54cdf03a9f892ca8c3181c6e8adc
Opcode Fuzzy Hash: 664dc38948e42dd1cf2f16e9cb65e04d0e37bf727c8a3e0d1911d6cd5b75415e
Instruction Fuzzy Hash: 97B16D716106089FD714CF28C4A6B657BE0FF05364F26869AE8D9CF3A1C339D982CB44

Function 004BB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 004F851F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e576d6a7398f3fe0871404b7840f7ae5e02a2e74d19610b5092ddbee21a826a7
Instruction ID: d6fae5a93a168a83799665ab2d55ec5063b10c8cd42b686341b2ed0fd2d3c7c9
Opcode Fuzzy Hash: e576d6a7398f3fe0871404b7840f7ae5e02a2e74d19610b5092ddbee21a826a7
Instruction Fuzzy Hash: 881250719002299BDB14CF58C8806FEB7F5FF48710F14819AE949EB251EB749E81CFA5

Function 0051EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0051EABD

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 26f7a71e928d0afd3a0575c383ccd07714998652118c7c5e4936ea839b9537ba
Instruction ID: 6ceb894c89597592fed61042e1c9570b97bff656ffa23bcad3001a54e3673540
Opcode Fuzzy Hash: 26f7a71e928d0afd3a0575c383ccd07714998652118c7c5e4936ea839b9537ba
Instruction Fuzzy Hash: 0CE012312002049FD710DF5AD445D9ABBD9BF69764F00841AFC45D7351D674A8408B91

Function 004C09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004C03EE), ref: 004C09DA

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 161d99b96832c4661a2902e7758a2d1cbc4f46fbf39c4c42a56e12de4479ed7a
Instruction ID: 1546f55995e969c3fa3c6851baf002323866d3f730423a74aa9e4f0852b44a59
Opcode Fuzzy Hash: 161d99b96832c4661a2902e7758a2d1cbc4f46fbf39c4c42a56e12de4479ed7a
Instruction Fuzzy Hash:

Function 004C781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 004C798B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e3d6939d9b3b9767a182e95562f4611ec756e338f48bd41e16d2ee9c47a87be3
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: F5517EAD60C60557EBF4662A4459FBF27959B12344F18050FDA82C7382C62DDE02DF7E

Function 00512046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&W, xrefs: 00512053

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID: 0&W
API String ID: 0-3992681457
Opcode ID: af80b4b9f378895bd21e2bd93cf6f7df0e7a15d17078d4a7d7c17ebaf647048e
Instruction ID: c437a13a568acefba01f0ee8e1a7847479dc3f12103a5a5223a36a76fd737bde
Opcode Fuzzy Hash: af80b4b9f378895bd21e2bd93cf6f7df0e7a15d17078d4a7d7c17ebaf647048e
Instruction Fuzzy Hash: EE21D5322206118BD728CF79C8276BA77E5B764310F14862EE4A7C33D1DE39A944DB80

Function 004D6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e1f9140c9d3d65d9c8893c9fda3506940c1e307d3503493e85017a2fedd5d9
Instruction ID: 74ffd857413f4321bf1d36a36593dce5ef1b65df07a81d940ab391b940514b53
Opcode Fuzzy Hash: f4e1f9140c9d3d65d9c8893c9fda3506940c1e307d3503493e85017a2fedd5d9
Instruction Fuzzy Hash: 57322226D29F114DD7239634D832336A249AFB73C9F55C737F81AB5EAAEB28C4835101

Function 004BCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dcc5b858809cf2c586eab4df4f705001fbb93cf49afe545a38dcdad73ce92b
Instruction ID: 25016c22b3c1a3cbb8344f99e124f06dc827120f1785d476888a588567d10718
Opcode Fuzzy Hash: 86dcc5b858809cf2c586eab4df4f705001fbb93cf49afe545a38dcdad73ce92b
Instruction Fuzzy Hash: 1A32F631A0414D8BDF28CA29C6D46BF7BB1EB45300F28856BD659CB391D23CDD82DB99

Function 004A7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de49bdb9138427385dd7dff63d915dc96a5e776b19a4f8b8958ecb1e79f8dd3
Instruction ID: 8992fecb0e192a75d1016f1f59f47273b39c618a978cbc943012500794ab9113
Opcode Fuzzy Hash: 5de49bdb9138427385dd7dff63d915dc96a5e776b19a4f8b8958ecb1e79f8dd3
Instruction Fuzzy Hash: 3622D1B0A00609EFDF14CF65C841AAEB3B5FF55308F10452AE816A7391E739ED15CB69

Function 004A91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301a3f6f73adffc10afbd3a17796488dd4f580a45b49464d9ec729e5e946b2fc
Instruction ID: 8b9714f7b7f9a356966f5f39d87041d0ccdad5b90c5fa68ef3ee1815e0dd5cad
Opcode Fuzzy Hash: 301a3f6f73adffc10afbd3a17796488dd4f580a45b49464d9ec729e5e946b2fc
Instruction Fuzzy Hash: D602D7B1E00105EFCB04DF66D881AAEB7B5FF54304F10856AE8069B391E739EE15CB99

Function 004D9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d27f53259606f06a9182577ffd60705f9f22c8ee139fb7f46ccef6e4e05f5da
Instruction ID: 021b0a018950f6cbe2dc6d97945924a6e10126fc0a1bdfee3a871c8d59d1d546
Opcode Fuzzy Hash: 1d27f53259606f06a9182577ffd60705f9f22c8ee139fb7f46ccef6e4e05f5da
Instruction Fuzzy Hash: 13B10424D2AF404DD3239B398835336B65CAFBB6D9F51D71BFC1674E22EB2286879140

Function 004C1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 5ae4e298faa7a51da84f9ada5f2daf5f6da7ee8984155c43d541b5dee148bd5d
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 5A91BA7A1080A349D7A9423D8434A3FFFE15A533A1319079FE4F3CA2E2FE28D565D624

Function 004C19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 6d86691e3be10487ea07ff2f31d6fa3e6d0151a1ba52e4fff087744dac336b90
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3891DB7A2090E309DB9D4279847493FFFE14A933A1319079FD4F2CA2E2FD28D965D624

Function 004C7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa833f34d40d8c120fe9f7b5d0e85958607de0cb64e272b99499ef34e2647297
Instruction ID: 78195b7a578e528b980c8eaba446c57ae51459f9eef499fc0dff9e406b3ecc91
Opcode Fuzzy Hash: aa833f34d40d8c120fe9f7b5d0e85958607de0cb64e272b99499ef34e2647297
Instruction Fuzzy Hash: D761247D20870567DBF49A288995FBF3394DB41718F14091FE942DB382E61EAE428F1E

Function 004C7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe631b7e0f07c919e5a89479cc61a72c1b9d5943cd1bccb771277419c304ac99
Instruction ID: fcbd3f9de3365685df68d2d0234dd65bf4d4c5dcc07767ccd908b3755671a569
Opcode Fuzzy Hash: fe631b7e0f07c919e5a89479cc61a72c1b9d5943cd1bccb771277419c304ac99
Instruction Fuzzy Hash: 17617B7E20870967DAF84A285892FBF2394AF41744F10495FF943CB381DA1EAD42CE5E

Function 004C1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 0fbb1e849c7f5d8d96e52fac2450b53df482d59758bfb76ed37f1298939c7cc5
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: C481987A50D0A309DB9D4239857493FFFE15A933A131A079FD4F2CA2E3ED28C554D624

Function 00522ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00522B30
DeleteObject.GDI32(00000000), ref: 00522B43
DestroyWindow.USER32 ref: 00522B52
GetDesktopWindow.USER32 ref: 00522B6D
GetWindowRect.USER32(00000000), ref: 00522B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00522CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00522CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00522CF8
GetClientRect.USER32(00000000,?), ref: 00522D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00522D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00522D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00522D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00522D80
GlobalLock.KERNEL32(00000000), ref: 00522D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00522D98
GlobalUnlock.KERNEL32(00000000), ref: 00522DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00522DA8
GlobalFree.KERNEL32(00000000), ref: 00522DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00522DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0053FC38,00000000), ref: 00522DDB
GlobalFree.KERNEL32(00000000), ref: 00522DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00522E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00522E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00522E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0052303F

Strings

AutoIt v3, xrefs: 00522CF2
, xrefs: 00522FC5
DISPLAY, xrefs: 00522EA2
static, xrefs: 00522D3A, 00522E91

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8f24f629e9f6a66c0f3bb2b0689c66fbc988989cc235741da69a245e4537f77c
Instruction ID: 5249657f1f41f16ddd515ee2408fc389d9f34fe4a4ca81847d43dc5c00b8ae34
Opcode Fuzzy Hash: 8f24f629e9f6a66c0f3bb2b0689c66fbc988989cc235741da69a245e4537f77c
Instruction Fuzzy Hash: 45029A75900214AFDB14DFA8DC89EAE7FB9FF59314F048518F915AB2A1CB34AD04DB60

Function 005370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0053712F
GetSysColorBrush.USER32(0000000F), ref: 00537160
GetSysColor.USER32(0000000F), ref: 0053716C
SetBkColor.GDI32(?,000000FF), ref: 00537186
SelectObject.GDI32(?,?), ref: 00537195
InflateRect.USER32(?,000000FF,000000FF), ref: 005371C0
GetSysColor.USER32(00000010), ref: 005371C8
CreateSolidBrush.GDI32(00000000), ref: 005371CF
FrameRect.USER32(?,?,00000000), ref: 005371DE
DeleteObject.GDI32(00000000), ref: 005371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00537230
FillRect.USER32(?,?,?), ref: 00537262
GetWindowLongW.USER32(?,000000F0), ref: 00537284

Part of subcall function 005373E8: GetSysColor.USER32(00000012), ref: 00537421
Part of subcall function 005373E8: SetTextColor.GDI32(?,?), ref: 00537425
Part of subcall function 005373E8: GetSysColorBrush.USER32(0000000F), ref: 0053743B
Part of subcall function 005373E8: GetSysColor.USER32(0000000F), ref: 00537446
Part of subcall function 005373E8: GetSysColor.USER32(00000011), ref: 00537463
Part of subcall function 005373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00537471
Part of subcall function 005373E8: SelectObject.GDI32(?,00000000), ref: 00537482
Part of subcall function 005373E8: SetBkColor.GDI32(?,00000000), ref: 0053748B
Part of subcall function 005373E8: SelectObject.GDI32(?,?), ref: 00537498
Part of subcall function 005373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005374B7
Part of subcall function 005373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005374CE
Part of subcall function 005373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005374DB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 44a1165499490fb4ba45f8b4c6292c6a53f95ac5d2961da36fb592f75d7946ec
Instruction ID: dd878f62cda56a43ade082326a198b6e51f73a8f7fc5b19f971303ae1366e633
Opcode Fuzzy Hash: 44a1165499490fb4ba45f8b4c6292c6a53f95ac5d2961da36fb592f75d7946ec
Instruction Fuzzy Hash: DBA1B072408305AFDB109F64DC48E6B7FA9FF9C321F100A19F962A62E1D771E948EB51

Function 004B8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 004B8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 004F6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 004F6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004F6F43

Part of subcall function 004B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004B8BE8,?,00000000,?,?,?,?,004B8BBA,00000000,?), ref: 004B8FC5

SendMessageW.USER32(?,00001053), ref: 004F6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 004F6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 004F6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 004F6FB7

Strings

0, xrefs: 004F6DCF

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 72a3399895cec08877da8046dbf89ed201943b244517bcc0e30ee172b11beebf
Instruction ID: 745975ebf5d0a1c33d07c4bb5cadaaad73339660b0dd4365649610b591dfad91
Opcode Fuzzy Hash: 72a3399895cec08877da8046dbf89ed201943b244517bcc0e30ee172b11beebf
Instruction Fuzzy Hash: BB12DE30200205DFDB25DF18D844BBABBE5FB54300F15406EE689CB261CB39EC96EB69

Function 00522711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0052273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0052286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00522900
GetClientRect.USER32(00000000,?), ref: 0052290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00522955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00522964
GetStockObject.GDI32(00000011), ref: 00522974
SelectObject.GDI32(00000000,00000000), ref: 00522978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00522988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00522991
DeleteDC.GDI32(00000000), ref: 0052299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00522A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00522A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00522A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00522A77
GetStockObject.GDI32(00000011), ref: 00522A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00522A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00522A97

Strings

msctls_progress32, xrefs: 00522A13
AutoIt v3, xrefs: 005228F8
DISPLAY, xrefs: 0052295A
static, xrefs: 0052294F, 00522A71

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 77faa6711ad153210878fa3e36355c7d3f65fdb9648e05ad563d29321df4b07e
Instruction ID: dcf77e92ede271818ccef2ccf7b8b505ae1e90235797529534c92d4295d27815
Opcode Fuzzy Hash: 77faa6711ad153210878fa3e36355c7d3f65fdb9648e05ad563d29321df4b07e
Instruction Fuzzy Hash: D2B18B75A00215BFEB10DFA8DC8AEAE7BA9FB19714F008519F914E7290C774ED40DBA4

Function 00514ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00514AED
GetDriveTypeW.KERNEL32(?,0053CB68,?,\\.\,0053CC08), ref: 00514BCA
SetErrorMode.KERNEL32(00000000,0053CB68,?,\\.\,0053CC08), ref: 00514D36

Strings

ATAPI, xrefs: 00514C91
RAID, xrefs: 00514CBB
FileBackedVirtual, xrefs: 00514CEC
SATA, xrefs: 00514CD0
1394, xrefs: 00514C9F
SAS, xrefs: 00514CC9
MMC, xrefs: 00514CDE
Fixed, xrefs: 00514C09
SSD, xrefs: 00514C4A
Virtual, xrefs: 00514CE5
SCSI, xrefs: 00514C8A
iSCSI, xrefs: 00514CC2
ATA, xrefs: 00514C98
Network, xrefs: 00514C02
USB, xrefs: 00514CB4
CDROM, xrefs: 00514BFB
RAMDisk, xrefs: 00514BF4
PhysicalDrive, xrefs: 00514B76
\\.\, xrefs: 00514B3F
Removable, xrefs: 00514C10, 00514C15
Unknown, xrefs: 00514BED, 00514C83
Fibre, xrefs: 00514CAD
SSA, xrefs: 00514CA6

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 53b7708c327294e3882a511c9eeef8345e9fc51b50655c9c6711869f5943f60c
Instruction ID: e902b35ef6085bbed35554e4808c65bc6719ffd4a27ac5d1d3aab3b37d994242
Opcode Fuzzy Hash: 53b7708c327294e3882a511c9eeef8345e9fc51b50655c9c6711869f5943f60c
Instruction Fuzzy Hash: F261D330705106EBEB04DF24CA81DECBFB1BB55748B24981AF806AB691DB39DD81DF81

Function 005373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00537421
SetTextColor.GDI32(?,?), ref: 00537425
GetSysColorBrush.USER32(0000000F), ref: 0053743B
GetSysColor.USER32(0000000F), ref: 00537446
CreateSolidBrush.GDI32(?), ref: 0053744B
GetSysColor.USER32(00000011), ref: 00537463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00537471
SelectObject.GDI32(?,00000000), ref: 00537482
SetBkColor.GDI32(?,00000000), ref: 0053748B
SelectObject.GDI32(?,?), ref: 00537498
InflateRect.USER32(?,000000FF,000000FF), ref: 005374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0053752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00537554
InflateRect.USER32(?,000000FD,000000FD), ref: 00537572
DrawFocusRect.USER32(?,?), ref: 0053757D
GetSysColor.USER32(00000011), ref: 0053758E
SetTextColor.GDI32(?,00000000), ref: 00537596
DrawTextW.USER32(?,005370F5,000000FF,?,00000000), ref: 005375A8
SelectObject.GDI32(?,?), ref: 005375BF
DeleteObject.GDI32(?), ref: 005375CA
SelectObject.GDI32(?,?), ref: 005375D0
DeleteObject.GDI32(?), ref: 005375D5
SetTextColor.GDI32(?,?), ref: 005375DB
SetBkColor.GDI32(?,?), ref: 005375E5

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c57ebb464276d466aa288d648fa12fdf3640037984539fa6215e52c736c33a39
Instruction ID: b169383f824b48c272e0f599a4d6653fac25964333cf632746c05930080c40ca
Opcode Fuzzy Hash: c57ebb464276d466aa288d648fa12fdf3640037984539fa6215e52c736c33a39
Instruction Fuzzy Hash: 94616A72D00218AFDF119FA4DC49AEEBFB9FB08320F104115F915BB2A1D775A940EBA0

Function 00530FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00531128
GetDesktopWindow.USER32 ref: 0053113D
GetWindowRect.USER32(00000000), ref: 00531144
GetWindowLongW.USER32(?,000000F0), ref: 00531199
DestroyWindow.USER32(?), ref: 005311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0053120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0053121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00531232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00531245
IsWindowVisible.USER32(00000000), ref: 005312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005312D0
GetWindowRect.USER32(00000000,?), ref: 005312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0053130E
GetMonitorInfoW.USER32(00000000,?), ref: 00531328
CopyRect.USER32(?,?), ref: 0053133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005313AA

Strings

tooltips_class32, xrefs: 005311E6
0, xrefs: 005310D3
(, xrefs: 0053131B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 97396658040edea01c0a86af64b117a53e114bc2ae235c09496bc23841a470e2
Instruction ID: 724a01eaea2afcd2699cb16361c9271c5dea4521fdfd1a81f9ef4df281371a4c
Opcode Fuzzy Hash: 97396658040edea01c0a86af64b117a53e114bc2ae235c09496bc23841a470e2
Instruction Fuzzy Hash: 8BB19C71608741AFD704DF65C889B6ABFE4FF94344F00891DF999AB2A2CB31E844CB95

Function 00530241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005302E5
_wcslen.LIBCMT ref: 0053031F
_wcslen.LIBCMT ref: 00530389
_wcslen.LIBCMT ref: 005303F1
_wcslen.LIBCMT ref: 00530475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005304C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00530504

Part of subcall function 004BF9F2: _wcslen.LIBCMT ref: 004BF9FD

Part of subcall function 0050223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00502258
Part of subcall function 0050223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0050228A

Strings

SELECTALL, xrefs: 00530515
GETSELECTED, xrefs: 005305E1
SELECTCLEAR, xrefs: 0053052D
SELECT, xrefs: 00530548
DESELECT, xrefs: 0053059C
GETSELECTEDCOUNT, xrefs: 00530470, 0053048B
GETTEXT, xrefs: 005303EC, 00530407
GETSUBITEMCOUNT, xrefs: 00530384, 0053039F
FINDITEM, xrefs: 00530627
SELECTINVERT, xrefs: 0053057E
ISSELECTED, xrefs: 005304DD
GETITEMCOUNT, xrefs: 00530316, 00530337
VIEWCHANGE, xrefs: 00530675

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 14f423da11605d97bbeee1ccffe013df56080abf15ab5b6d67041da4697dae3c
Instruction ID: 59f75fbcec942433019a3ef17fcd08e3965f6de9d7f66afb893929ebcbbb7a9c
Opcode Fuzzy Hash: 14f423da11605d97bbeee1ccffe013df56080abf15ab5b6d67041da4697dae3c
Instruction Fuzzy Hash: E6E1DD312083019FCB14DF25C8A192ABBE6BFD8358F14495DF8969B2E6DB34ED45CB81

Function 004B8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004B8968
GetSystemMetrics.USER32(00000007), ref: 004B8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004B899B
GetSystemMetrics.USER32(00000008), ref: 004B89A3
GetSystemMetrics.USER32(00000004), ref: 004B89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004B89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004B89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004B8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004B8A3C
GetClientRect.USER32(00000000,000000FF), ref: 004B8A5A
GetStockObject.GDI32(00000011), ref: 004B8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 004B8A81

Part of subcall function 004B912D: GetCursorPos.USER32(?), ref: 004B9141
Part of subcall function 004B912D: ScreenToClient.USER32(00000000,?), ref: 004B915E
Part of subcall function 004B912D: GetAsyncKeyState.USER32(00000001), ref: 004B9183
Part of subcall function 004B912D: GetAsyncKeyState.USER32(00000002), ref: 004B919D

SetTimer.USER32(00000000,00000000,00000028,004B90FC), ref: 004B8AA8

Strings

AutoIt v3 GUI, xrefs: 004B8A20

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9a0693a7c0b00c429c83cab76fa3cc30c6cefb03e9bb987c4083c85a0e1b9312
Instruction ID: cbd33743e1294167c0a1177b1846365cd7aa3733ef7384a79ad81ad54159e525
Opcode Fuzzy Hash: 9a0693a7c0b00c429c83cab76fa3cc30c6cefb03e9bb987c4083c85a0e1b9312
Instruction Fuzzy Hash: 0AB17D71A002099FDF14DF68DC45BEE3BB5FB58314F11412AFA15A7290DB38A841DB69

Function 00500D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00501114
Part of subcall function 005010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00500B9B,?,?,?), ref: 00501120
Part of subcall function 005010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00500B9B,?,?,?), ref: 0050112F
Part of subcall function 005010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00500B9B,?,?,?), ref: 00501136
Part of subcall function 005010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0050114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00500DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00500E29
GetLengthSid.ADVAPI32(?), ref: 00500E40
GetAce.ADVAPI32(?,00000000,?), ref: 00500E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00500E96
GetLengthSid.ADVAPI32(?), ref: 00500EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00500EB5
HeapAlloc.KERNEL32(00000000), ref: 00500EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00500EDD
CopySid.ADVAPI32(00000000), ref: 00500EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00500F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00500F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00500F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00500F6E
HeapFree.KERNEL32(00000000), ref: 00500F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00500F7E
HeapFree.KERNEL32(00000000), ref: 00500F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00500F8E
HeapFree.KERNEL32(00000000), ref: 00500F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00500FA1
HeapFree.KERNEL32(00000000), ref: 00500FA8

Part of subcall function 00501193: GetProcessHeap.KERNEL32(00000008,00500BB1,?,00000000,?,00500BB1,?), ref: 005011A1
Part of subcall function 00501193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00500BB1,?), ref: 005011A8
Part of subcall function 00501193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00500BB1,?), ref: 005011B7

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0f696d51267f52744d424f46055d5c84aecd0d18bb2410a38bce1a69989b7c49
Instruction ID: 26db33245dffc7fd9dff152860cf82edc54c64e16085659871bd4a77d37b0c4e
Opcode Fuzzy Hash: 0f696d51267f52744d424f46055d5c84aecd0d18bb2410a38bce1a69989b7c49
Instruction Fuzzy Hash: 11716A7290020AABDF209FA4DC49FAEBFB8BF15301F144115FA59F62D1D7719A09EB60

Function 0052C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0052C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0053CC08,00000000,?,00000000,?,?), ref: 0052C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0052C5A4
_wcslen.LIBCMT ref: 0052C5F4
_wcslen.LIBCMT ref: 0052C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0052C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0052C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0052C84D
RegCloseKey.ADVAPI32(?), ref: 0052C881
RegCloseKey.ADVAPI32(00000000), ref: 0052C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0052C960

Strings

REG_QWORD, xrefs: 0052C8C3
REG_MULTI_SZ, xrefs: 0052C6F5
REG_BINARY, xrefs: 0052C913
REG_DWORD, xrefs: 0052C804
REG_SZ, xrefs: 0052C644
REG_EXPAND_SZ, xrefs: 0052C5CD

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 7ac14fd08d781ba2497bd2100c3aafc8998b82663e3051ebf0c1be8589d0d414
Instruction ID: 102bad20c93d9f42010e7913f0f2e081b4d100f4192b31a37d6c566281fb453e
Opcode Fuzzy Hash: 7ac14fd08d781ba2497bd2100c3aafc8998b82663e3051ebf0c1be8589d0d414
Instruction Fuzzy Hash: E7128A356042109FDB14EF15D881A2EBBE5FF8A358F04885DF84A9B3A2DB35EC41CB85

Function 0053091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005309C6
_wcslen.LIBCMT ref: 00530A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00530A54
_wcslen.LIBCMT ref: 00530A8A
_wcslen.LIBCMT ref: 00530B06
_wcslen.LIBCMT ref: 00530B81

Part of subcall function 004BF9F2: _wcslen.LIBCMT ref: 004BF9FD

Part of subcall function 00502BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00502BFA

Strings

ISCHECKED, xrefs: 00530CE1
GETSELECTED, xrefs: 00530C4E
COLLAPSE, xrefs: 00530B01, 00530B1C
EXISTS, xrefs: 00530B7C, 00530B97
UNCHECK, xrefs: 00530D3E
SELECT, xrefs: 00530D11
GETITEMCOUNT, xrefs: 00530C1E
CHECK, xrefs: 00530A85, 00530AA0
GETTEXT, xrefs: 00530C97
GETTOTALCOUNT, xrefs: 005309F2, 00530A17
EXPAND, xrefs: 00530BF8

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: ca9bf60866ca54c685a95009428ede3fc2d35c2791cf0ef8f8109d28d9fa88b0
Instruction ID: cb596a032d1ed6079f2f7e01fc1a74076a3ee6601be88dce19f9272c26bc8ce4
Opcode Fuzzy Hash: ca9bf60866ca54c685a95009428ede3fc2d35c2791cf0ef8f8109d28d9fa88b0
Instruction Fuzzy Hash: 4FE1BC312083019FC714EF25C4A092EBBE1BF99358F14895DF89A9B7A2DB35ED45CB81

Function 0052C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0052B6AE,?,?), ref: 0052C9B5
_wcslen.LIBCMT ref: 0052C9F1
_wcslen.LIBCMT ref: 0052CA68
_wcslen.LIBCMT ref: 0052CA9E
_wcslen.LIBCMT ref: 0052CAF9
_wcslen.LIBCMT ref: 0052CB2F
_wcslen.LIBCMT ref: 0052CB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 0052CB79, 0052CB7E
HKEY_LOCAL_MACHINE, xrefs: 0052CA62, 0052CA67
HKU, xrefs: 0052CBF0
HKEY_CURRENT_USER, xrefs: 0052CBBD
HKLM, xrefs: 0052CA98, 0052CA9D
HKEY_CLASSES_ROOT, xrefs: 0052CAF3, 0052CAF8
HKCR, xrefs: 0052CB29, 0052CB2E
HKCC, xrefs: 0052CBAC
HKEY_USERS, xrefs: 0052CBDF
HKCU, xrefs: 0052CBCE

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 6594269f5cadb3615606484a010c34c2047d337a7467c14ce5b628455c43fb1e
Instruction ID: 51db135594217cf182ea41d0560241290417646d725f55ceb43f4ba4435aa086
Opcode Fuzzy Hash: 6594269f5cadb3615606484a010c34c2047d337a7467c14ce5b628455c43fb1e
Instruction Fuzzy Hash: F071143260013A8BCB20DE3CED515BE3F91BF66798B540529F866A72C6E735CD4483A0

Function 0053833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0053835A
_wcslen.LIBCMT ref: 0053836E
_wcslen.LIBCMT ref: 00538391
_wcslen.LIBCMT ref: 005383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00535BF2), ref: 0053844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00538487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00538501
FreeLibrary.KERNEL32(?), ref: 0053850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0053851D
DestroyIcon.USER32(?,?,?,?,?,00535BF2), ref: 0053852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00538549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00538555

Strings

.icl, xrefs: 00538368
.exe, xrefs: 00538388
.dll, xrefs: 005383AB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 303a20ebc3be0b5881ef9c2c52bb478dab5dfddce4fa8bba774a2103f99fd0d7
Instruction ID: afd26e824f22a1830e4c25a8294615ab2cafd26a1980ba79ebc36334266b364b
Opcode Fuzzy Hash: 303a20ebc3be0b5881ef9c2c52bb478dab5dfddce4fa8bba774a2103f99fd0d7
Instruction Fuzzy Hash: E561E071500315BEEB18DF64CC41FBE7BA8BB58715F10460AF815E61D1DB74A984D7A0

Function 004A7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 004E5153
Unterminated group of comments, xrefs: 004E528C
#requireadmin, xrefs: 004A77FF
Cannot parse #include, xrefs: 004E5279
#OnAutoItStartRegister, xrefs: 004A7817
#comments-start, xrefs: 004A785F, 004A78B1
', xrefs: 004E5169
#ce, xrefs: 004A78ED
Bad directive syntax error, xrefs: 004E519A
#include-once, xrefs: 004A782F
#cs, xrefs: 004A7873, 004A78C5
#include, xrefs: 004A7847
#pragma compile, xrefs: 004A77D3
#notrayicon, xrefs: 004A77E7
#comments-end, xrefs: 004A78D9

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 230a7f8ae259ddee741d81e6e8749a1056db2351c10ef545010d958012528b7a
Instruction ID: 30af7281d1f85cf86d6d2affa2b4eac3ff468ec2710e26f7510a42200545ee94
Opcode Fuzzy Hash: 230a7f8ae259ddee741d81e6e8749a1056db2351c10ef545010d958012528b7a
Instruction Fuzzy Hash: DD81FB75A04205BBDB20AF61DC42FAF7B64BF25344F04402FF905AA292EB7CD911D7A9

Function 00513E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00513EF8
_wcslen.LIBCMT ref: 00513F03
_wcslen.LIBCMT ref: 00513F5A
_wcslen.LIBCMT ref: 00513F98
GetDriveTypeW.KERNEL32(?), ref: 00513FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0051401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00514059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00514087

Strings

closed, xrefs: 00513F08, 00513F2D, 00513F46, 00513F7E, 00513F97
open , xrefs: 00513FE5
wait, xrefs: 00514044
type cdaudio alias cd wait, xrefs: 00514001
close, xrefs: 00513EFE, 00513F18
set cd door , xrefs: 00514028
open, xrefs: 00513F54, 00513F59
close cd wait, xrefs: 00514072

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: a08adcc47fedd42190fb3158639ad12a2c688e4fa98cb82ddb78f07d346fd89e
Instruction ID: ee83fc7e9a57d68a51e7e57aea223f641c26dbacfd7c2eea762b956aa0158b95
Opcode Fuzzy Hash: a08adcc47fedd42190fb3158639ad12a2c688e4fa98cb82ddb78f07d346fd89e
Instruction Fuzzy Hash: BC71F4316042119FD710EF25C8908ABBBF4FFA9758F00492EF89597251EB35ED8ACB91

Function 00505A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00505A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00505A40
SetWindowTextW.USER32(?,?), ref: 00505A57
GetDlgItem.USER32(?,000003EA), ref: 00505A6C
SetWindowTextW.USER32(00000000,?), ref: 00505A72
GetDlgItem.USER32(?,000003E9), ref: 00505A82
SetWindowTextW.USER32(00000000,?), ref: 00505A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00505AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00505AC3
GetWindowRect.USER32(?,?), ref: 00505ACC
_wcslen.LIBCMT ref: 00505B33
SetWindowTextW.USER32(?,?), ref: 00505B6F
GetDesktopWindow.USER32 ref: 00505B75
GetWindowRect.USER32(00000000), ref: 00505B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00505BD3
GetClientRect.USER32(?,?), ref: 00505BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00505C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00505C2F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 8e0dd68f6e33a0e2170fe8e439f95f6ba85e04015ee470c9c073b3e1d5d5387d
Instruction ID: c06caa34b4d040b1ed287b17ba7ba8e890cd76c7075902817da225e2ca437bc1
Opcode Fuzzy Hash: 8e0dd68f6e33a0e2170fe8e439f95f6ba85e04015ee470c9c073b3e1d5d5387d
Instruction Fuzzy Hash: E1715D31900B09AFDB20DFA8CE46A6FBFF5FF48705F104918E542A26A0E775A944DF50

Function 0051FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0051FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0051FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0051FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0051FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0051FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0051FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0051FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0051FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0051FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0051FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0051FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0051FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0051FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0051FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0051FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0051FECC
GetCursorInfo.USER32(?), ref: 0051FEDC
GetLastError.KERNEL32 ref: 0051FF1E

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 18072b30a4e3c47cee6740931f390e1cc9aa80dbeec14feae54b55a9651441ae
Instruction ID: df916af5d6f4406cf4cc2e15d1915bd3f1e01ab44a811f1e5c8e9de09159d480
Opcode Fuzzy Hash: 18072b30a4e3c47cee6740931f390e1cc9aa80dbeec14feae54b55a9651441ae
Instruction Fuzzy Hash: EC4131B0D083196ADB109FBA8C8985EBFE8FF04754B54452AF119E7281DB78A941CF91

Function 005030F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0050318D
_wcslen.LIBCMT ref: 005031F8

Strings

CLASSNN, xrefs: 005031F3, 00503204
[V, xrefs: 0050339A
CLASS, xrefs: 00503188, 005031A5
INSTANCE, xrefs: 00503453
NAME, xrefs: 00503335, 00503346
REGEXPCLASS, xrefs: 00503255, 00503266
TEXT, xrefs: 0050347C

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[V
API String ID: 176396367-1647748031
Opcode ID: d5b140fa25ebacbd083fab9487ea69004aa0ebdcd9077948f1366488c5fcffe5
Instruction ID: dadd515dc310f1e60b1152b748fcf42fd434be81e45ac083890d4249ef530c20
Opcode Fuzzy Hash: d5b140fa25ebacbd083fab9487ea69004aa0ebdcd9077948f1366488c5fcffe5
Instruction Fuzzy Hash: F0E1E632A00516ABCF289F78C851BEEBFB8BF54714F54851EE456B7290EB30AE45C790

Function 004C00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004C00C6

Part of subcall function 004C00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0057070C,00000FA0,1561E445,?,?,?,?,004E23B3,000000FF), ref: 004C011C
Part of subcall function 004C00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004E23B3,000000FF), ref: 004C0127
Part of subcall function 004C00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004E23B3,000000FF), ref: 004C0138
Part of subcall function 004C00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 004C014E
Part of subcall function 004C00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 004C015C
Part of subcall function 004C00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 004C016A
Part of subcall function 004C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004C0195
Part of subcall function 004C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004C01A0

___scrt_fastfail.LIBCMT ref: 004C00E7

Part of subcall function 004C00A3: __onexit.LIBCMT ref: 004C00A9

Strings

kernel32.dll, xrefs: 004C0133
WakeAllConditionVariable, xrefs: 004C0162
SleepConditionVariableCS, xrefs: 004C0154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 004C0122
InitializeConditionVariable, xrefs: 004C0148

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: dbf21d34f3001d2a151b3bb90bccb96adea704dc4f819ba0f904a7c613597377
Instruction ID: 6c2f82869dfdd4773386cbe2da34441dc5111753cd25663a1b715ad3bea129a1
Opcode Fuzzy Hash: dbf21d34f3001d2a151b3bb90bccb96adea704dc4f819ba0f904a7c613597377
Instruction Fuzzy Hash: EA21F536A44310EBD7505BA5BC09F6ABBE4EB14B51F04053FF805A2391DFA89804AB98

Function 005144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0053CC08), ref: 00514527
_wcslen.LIBCMT ref: 0051453B
_wcslen.LIBCMT ref: 00514599
_wcslen.LIBCMT ref: 005145F4
_wcslen.LIBCMT ref: 0051463F
_wcslen.LIBCMT ref: 005146A7

Part of subcall function 004BF9F2: _wcslen.LIBCMT ref: 004BF9FD

GetDriveTypeW.KERNEL32(?,00566BF0,00000061), ref: 00514743

Strings

fixed, xrefs: 00514635, 0051463A
all, xrefs: 00514531, 00514536
ramdisk, xrefs: 005146F1
unknown, xrefs: 00514708
cdrom, xrefs: 0051458F, 00514594
removable, xrefs: 005145EA, 005145EF
network, xrefs: 0051469D, 005146A2

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: e655525d194f47f4eb8b4dbc077235dfafc27c285e42595528dfae4cff78798c
Instruction ID: a63713451305bb9b5e95bbcf04bf0a6a202a326ec4b41f88e9192dbae5ebc767
Opcode Fuzzy Hash: e655525d194f47f4eb8b4dbc077235dfafc27c285e42595528dfae4cff78798c
Instruction Fuzzy Hash: 43B12F716083029FD310DF28C890AAEBBE5FFA6768F50591DF096C7291D734D885CBA2

Function 0053911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004B9BB2

DragQueryPoint.SHELL32(?,?), ref: 00539147

Part of subcall function 00537674: ClientToScreen.USER32(?,?), ref: 0053769A
Part of subcall function 00537674: GetWindowRect.USER32(?,?), ref: 00537710
Part of subcall function 00537674: PtInRect.USER32(?,?,00538B89), ref: 00537720

SendMessageW.USER32(?,000000B0,?,?), ref: 005391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00539225
SendMessageW.USER32(?,000000B0,?,?), ref: 0053923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00539255
SendMessageW.USER32(?,000000B1,?,?), ref: 00539277
DragFinish.SHELL32(?), ref: 0053927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00539371

Strings

@GUI_DROPID, xrefs: 0053929E
p#W, xrefs: 005392BB
@GUI_DRAGFILE, xrefs: 00539320
@GUI_DRAGID, xrefs: 005392E9

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#W
API String ID: 221274066-2236016650
Opcode ID: ca085180430d7473952a7bb8fba63c39fa4f5e7015ca3461c1090a3fdf4522f0
Instruction ID: eb63af51b2c89c38649d1db84080aa5daedd85e8153adf6a5547767f40404814
Opcode Fuzzy Hash: ca085180430d7473952a7bb8fba63c39fa4f5e7015ca3461c1090a3fdf4522f0
Instruction Fuzzy Hash: FE616671108301AFC701EF65DC85DABBFE8FBA9354F00091EF595962A0DB709A49CB56

Function 004A326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00571990), ref: 004E2F8D
GetMenuItemCount.USER32(00571990), ref: 004E303D
GetCursorPos.USER32(?), ref: 004E3081
SetForegroundWindow.USER32(00000000), ref: 004E308A
TrackPopupMenuEx.USER32(00571990,00000000,?,00000000,00000000,00000000), ref: 004E309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004E30A9

Strings

0, xrefs: 004A327D

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 0f6d9c0e64c84021345a52d739e34193956f337fbfdb0cf44e1443f64d7948dc
Instruction ID: 8d67a99d7f967b3226a4889ca9729b8be585e9b713a8b31b1fe7699efd84cfa2
Opcode Fuzzy Hash: 0f6d9c0e64c84021345a52d739e34193956f337fbfdb0cf44e1443f64d7948dc
Instruction Fuzzy Hash: EA712531640256BAEB218F29CD49FABBF68FF11325F200207F5146A2E0C7B5AD14EB59

Function 00536CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00536DEB

Part of subcall function 004A6B57: _wcslen.LIBCMT ref: 004A6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00536E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00536E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00536E94
DestroyWindow.USER32(?), ref: 00536EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004A0000,00000000), ref: 00536EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00536EFD
GetDesktopWindow.USER32 ref: 00536F16
GetWindowRect.USER32(00000000), ref: 00536F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00536F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00536F4D

Part of subcall function 004B9944: GetWindowLongW.USER32(?,000000EB), ref: 004B9952

Strings

tooltips_class32, xrefs: 00536E58, 00536EDD
0, xrefs: 00536D98

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 48feff9eddc77350ebeecab6344aa135f133e5699d890c0356a622b01c52262c
Instruction ID: 5468b89cc07e45afe29933024367efa7bfd829922c93d746e8a5336368a55633
Opcode Fuzzy Hash: 48feff9eddc77350ebeecab6344aa135f133e5699d890c0356a622b01c52262c
Instruction Fuzzy Hash: C8717974104644AFDB21CF19D884EAABFF9FB99304F04481DFA9997260C770A94AEB25

Function 0051C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0051C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0051C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0051C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0051C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0051C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0051C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0051C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0051C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0051C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0051C5F0
InternetCloseHandle.WININET(00000000), ref: 0051C5FB

Strings

, xrefs: 0051C575

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d3a6877e9593b689641e9c0fd1256481a3e08860fb7047923fe14d7a1f25e378
Instruction ID: cb3f0047dd433d7e4374ab0fe1294ea3c476316b0fa4ac399a6d018bd6aa3d1a
Opcode Fuzzy Hash: d3a6877e9593b689641e9c0fd1256481a3e08860fb7047923fe14d7a1f25e378
Instruction Fuzzy Hash: 2F514BB5540209BFEB219FA4C988ABB7FFDFF18754F00441DF945A6210DB35E988AB60

Function 0053856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00538592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005385A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005385AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005385BA
GlobalLock.KERNEL32(00000000), ref: 005385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005385D7
GlobalUnlock.KERNEL32(00000000), ref: 005385E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005385F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0053FC38,?), ref: 00538611
GlobalFree.KERNEL32(00000000), ref: 00538621
GetObjectW.GDI32(?,00000018,?), ref: 00538641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00538671
DeleteObject.GDI32(?), ref: 00538699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005386AF

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: d4d420a6bdde58ab94a845125621d38b2abf30cb1e06101e2e38361421798733
Instruction ID: 19665ca89025ec6901560a66cd76ffdb5e3163cd074a2b1cb6ecc3132301e912
Opcode Fuzzy Hash: d4d420a6bdde58ab94a845125621d38b2abf30cb1e06101e2e38361421798733
Instruction Fuzzy Hash: 7141F775600208BFDB159FA5DC89EAB7FB8FF99B11F148058F905EB260DB309905EB60

Function 005114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00511502
VariantCopy.OLEAUT32(?,?), ref: 0051150B
VariantClear.OLEAUT32(?), ref: 00511517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00511657
VariantInit.OLEAUT32(?), ref: 00511708
SysFreeString.OLEAUT32(?), ref: 0051178C
VariantClear.OLEAUT32(?), ref: 005117D8
VariantClear.OLEAUT32(?), ref: 005117E7
VariantInit.OLEAUT32(00000000), ref: 00511823

Strings

Default, xrefs: 005116AF
%4d%02d%02d%02d%02d%02d, xrefs: 00511625

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 2b94165294b9de14ee9d507a4fbe29641a04f8987016702abcca938d197c31b1
Instruction ID: 7ee395ee6442921ab0822e63318e684d8695f62e766200b47fd89aeb965e9cd8
Opcode Fuzzy Hash: 2b94165294b9de14ee9d507a4fbe29641a04f8987016702abcca938d197c31b1
Instruction Fuzzy Hash: 5FD11331600915DBEB009F65E884BFDBBB6BF45700F15849AF646AB280DB34DC84DF6A

Function 0052B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

Part of subcall function 0052C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0052B6AE,?,?), ref: 0052C9B5
Part of subcall function 0052C998: _wcslen.LIBCMT ref: 0052C9F1
Part of subcall function 0052C998: _wcslen.LIBCMT ref: 0052CA68
Part of subcall function 0052C998: _wcslen.LIBCMT ref: 0052CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0052B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0052B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0052B80A
RegCloseKey.ADVAPI32(?), ref: 0052B87E
RegCloseKey.ADVAPI32(?), ref: 0052B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0052B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0052B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0052B922
FreeLibrary.KERNEL32(00000000), ref: 0052B983
RegCloseKey.ADVAPI32(00000000), ref: 0052B994

Strings

advapi32.dll, xrefs: 0052B8ED
RegDeleteKeyExW, xrefs: 0052B8FE

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 4b672bde09e2584b34f32becdfbcd0039aa88f8c6c050aad4742be5a2835a9d9
Instruction ID: 4aec42824a6337a5ed15aed5ffbcbbe60c83243123594eaefe9f2c7f6a14a48e
Opcode Fuzzy Hash: 4b672bde09e2584b34f32becdfbcd0039aa88f8c6c050aad4742be5a2835a9d9
Instruction Fuzzy Hash: A4C19B34208211AFE714DF14D494F2ABBE5FF96308F18845CF59A8B2A2CB35ED45CB91

Function 0052255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005225E8
CreateCompatibleDC.GDI32(?), ref: 005225F4
SelectObject.GDI32(00000000,?), ref: 00522601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0052266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005226D0
SelectObject.GDI32(?,?), ref: 005226D8
DeleteObject.GDI32(?), ref: 005226E1
DeleteDC.GDI32(?), ref: 005226E8
ReleaseDC.USER32(00000000,?), ref: 005226F3

Strings

(, xrefs: 0052268D

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 16ddc8cea714e45d69a1df42550542dd5f1732cd8d4ec026b9af1fa4067b998b
Instruction ID: 9b1c1261533bd6357d10272d2fd98ec37deb40c57653a8b209b246ba190b801d
Opcode Fuzzy Hash: 16ddc8cea714e45d69a1df42550542dd5f1732cd8d4ec026b9af1fa4067b998b
Instruction Fuzzy Hash: 5061F376D00219EFCF14CFA8D888AAEBBB5FF48310F208529E956A7350D774A951DF60

Function 004DDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004DDAA1

Part of subcall function 004DD63C: _free.LIBCMT ref: 004DD659
Part of subcall function 004DD63C: _free.LIBCMT ref: 004DD66B
Part of subcall function 004DD63C: _free.LIBCMT ref: 004DD67D
Part of subcall function 004DD63C: _free.LIBCMT ref: 004DD68F
Part of subcall function 004DD63C: _free.LIBCMT ref: 004DD6A1
Part of subcall function 004DD63C: _free.LIBCMT ref: 004DD6B3
Part of subcall function 004DD63C: _free.LIBCMT ref: 004DD6C5
Part of subcall function 004DD63C: _free.LIBCMT ref: 004DD6D7
Part of subcall function 004DD63C: _free.LIBCMT ref: 004DD6E9
Part of subcall function 004DD63C: _free.LIBCMT ref: 004DD6FB
Part of subcall function 004DD63C: _free.LIBCMT ref: 004DD70D
Part of subcall function 004DD63C: _free.LIBCMT ref: 004DD71F
Part of subcall function 004DD63C: _free.LIBCMT ref: 004DD731

_free.LIBCMT ref: 004DDA96

Part of subcall function 004D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004DD7D1,00000000,00000000,00000000,00000000,?,004DD7F8,00000000,00000007,00000000,?,004DDBF5,00000000), ref: 004D29DE
Part of subcall function 004D29C8: GetLastError.KERNEL32(00000000,?,004DD7D1,00000000,00000000,00000000,00000000,?,004DD7F8,00000000,00000007,00000000,?,004DDBF5,00000000,00000000), ref: 004D29F0

_free.LIBCMT ref: 004DDAB8
_free.LIBCMT ref: 004DDACD
_free.LIBCMT ref: 004DDAD8
_free.LIBCMT ref: 004DDAFA
_free.LIBCMT ref: 004DDB0D
_free.LIBCMT ref: 004DDB1B
_free.LIBCMT ref: 004DDB26
_free.LIBCMT ref: 004DDB5E
_free.LIBCMT ref: 004DDB65
_free.LIBCMT ref: 004DDB82
_free.LIBCMT ref: 004DDB9A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 98cc1e119b8e890d0e33df2ba99b5195b3620c41dd7960fb1d665379eea6c098
Instruction ID: deedefea6e1deecc08169e9ec2671c724cbefa79ec650addd1d9ecc39fe635d0
Opcode Fuzzy Hash: 98cc1e119b8e890d0e33df2ba99b5195b3620c41dd7960fb1d665379eea6c098
Instruction Fuzzy Hash: E0317CB1A046049FEB21AA3AE961B577BE8FF10318F10446FE049D7391DA78BC40D728

Function 0050365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0050369C
_wcslen.LIBCMT ref: 005036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00503797
GetClassNameW.USER32(?,?,00000400), ref: 0050380C
GetDlgCtrlID.USER32(?), ref: 0050385D
GetWindowRect.USER32(?,?), ref: 00503882
GetParent.USER32(?), ref: 005038A0
ScreenToClient.USER32(00000000), ref: 005038A7
GetClassNameW.USER32(?,?,00000100), ref: 00503921
GetWindowTextW.USER32(?,?,00000400), ref: 0050395D

Strings

%s%u, xrefs: 00503734

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 60239a1638bfc70ccb31a95b687c7cf4721468f92228fe7f42c7764cf60ce0b6
Instruction ID: 48ac905e4ed89b1f4f929e18e9261c795f80ed34b215b962aa95f202be383e7e
Opcode Fuzzy Hash: 60239a1638bfc70ccb31a95b687c7cf4721468f92228fe7f42c7764cf60ce0b6
Instruction Fuzzy Hash: EC919E71204606AFD719DF25C885FAEBBACFF44354F008A29F999D2191DB30EA49CB91

Function 00504954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00504994
GetWindowTextW.USER32(?,?,00000400), ref: 005049DA
_wcslen.LIBCMT ref: 005049EB
CharUpperBuffW.USER32(?,00000000), ref: 005049F7
_wcsstr.LIBVCRUNTIME ref: 00504A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00504A64
GetWindowTextW.USER32(?,?,00000400), ref: 00504A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00504AE6
GetClassNameW.USER32(?,?,00000400), ref: 00504B20
GetWindowRect.USER32(?,?), ref: 00504B8B

Strings

ThumbnailClass, xrefs: 00504A6F, 00504AF1

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 164d7c8d679c85072f6c32997fe6ebc04f94c86eb83d89dee7b5af64b73383aa
Instruction ID: a931947d9d0b7f6861d353dab2a60f2c6b216cbe2c0d553b804596f9d54346b1
Opcode Fuzzy Hash: 164d7c8d679c85072f6c32997fe6ebc04f94c86eb83d89dee7b5af64b73383aa
Instruction Fuzzy Hash: 4591A9B21042069BDB04DE14C985BAE7BE9FF84314F04846EFE859A1D6EB34ED45CFA1

Function 00538D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004B9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00538D5A
GetFocus.USER32 ref: 00538D6A
GetDlgCtrlID.USER32(00000000), ref: 00538D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00538E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00538ECF
GetMenuItemCount.USER32(?), ref: 00538EEC
GetMenuItemID.USER32(?,00000000), ref: 00538EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00538F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00538F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00538FA1

Strings

0, xrefs: 00538E9F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: e8fb6bdb5c29a5df9742fc5ba9274ae07ab8282bb5324c8b501a54aef247202e
Instruction ID: cc4f8ecff6f3347b39d8c1817f7f0fc7b523759abf4d9e2e5d73ddbb757b3173
Opcode Fuzzy Hash: e8fb6bdb5c29a5df9742fc5ba9274ae07ab8282bb5324c8b501a54aef247202e
Instruction Fuzzy Hash: 2A81BE715083019FDB24CF24D884ABBBFE9FB98314F14091DF984A7291DB30D905EBA1

Function 0050DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0050DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0050DC46
_wcslen.LIBCMT ref: 0050DC50
_wcsstr.LIBVCRUNTIME ref: 0050DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0050DCBC

Strings

%u.%u.%u.%u, xrefs: 0050DD9A
04090000, xrefs: 0050DCF2
StringFileInfo\, xrefs: 0050DC8F
\VarFileInfo\Translation, xrefs: 0050DCB4
DefaultLangCodepage, xrefs: 0050DD1F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 583fc9ed36df16746de36bf07de605ae2606ab2c4d3add845144d585d33b1c95
Instruction ID: dc0dba8765518619fb9fa2e499eb65159ab58b3aa5b6bb19ceb0b13050a6f95c
Opcode Fuzzy Hash: 583fc9ed36df16746de36bf07de605ae2606ab2c4d3add845144d585d33b1c95
Instruction Fuzzy Hash: 0241F0769402047ADB10A7B69C07EBF7BBCFF51714F10006EF904A6182EA78EA1097B9

Function 0052CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0052CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0052CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0052CD48

Part of subcall function 0052CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0052CCAA
Part of subcall function 0052CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0052CCBD
Part of subcall function 0052CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0052CCCF
Part of subcall function 0052CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0052CD05
Part of subcall function 0052CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0052CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0052CCF3

Strings

advapi32.dll, xrefs: 0052CCB8
RegDeleteKeyExW, xrefs: 0052CCC9

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 8b4edc9e74aba6143be390d43e14390376151eca886d12d89a8a501583ee4e5a
Instruction ID: 6db114bad807b9cbad1002572585780735186ac5a4f97658cfb9a9fd1d53c1f2
Opcode Fuzzy Hash: 8b4edc9e74aba6143be390d43e14390376151eca886d12d89a8a501583ee4e5a
Instruction Fuzzy Hash: 84317E75901129BBD7208B61EC88EFFBF7CEF56740F000165A905E7281D6749E49EBA0

Function 00513D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00513D40
_wcslen.LIBCMT ref: 00513D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00513D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00513DBE
RemoveDirectoryW.KERNEL32(?), ref: 00513DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00513E55
CloseHandle.KERNEL32(00000000), ref: 00513E60
CloseHandle.KERNEL32(00000000), ref: 00513E6B

Strings

:, xrefs: 00513D82
\, xrefs: 00513D77
\??\%s, xrefs: 00513D5B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: a56174fe1fcee9f113a27f1d03f22902757b4226ec9838c321e3df6a6b3d7eca
Instruction ID: 8e7c9ef9f417ae2dff29740a8ad81639e5291c9524bb26583a98c0c7ad5267b1
Opcode Fuzzy Hash: a56174fe1fcee9f113a27f1d03f22902757b4226ec9838c321e3df6a6b3d7eca
Instruction Fuzzy Hash: 3C31A5B59001096BDB209BA0DC49FEF3BBCFF88744F1041BAF505E6160E77497849B64

Function 0050E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0050E6B4

Part of subcall function 004BE551: timeGetTime.WINMM(?,?,0050E6D4), ref: 004BE555

Sleep.KERNEL32(0000000A), ref: 0050E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0050E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0050E727
SetActiveWindow.USER32 ref: 0050E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0050E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0050E773
Sleep.KERNEL32(000000FA), ref: 0050E77E
IsWindow.USER32 ref: 0050E78A
EndDialog.USER32(00000000), ref: 0050E79B

Strings

BUTTON, xrefs: 0050E719

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1ad05a4230f8f29608a642b771e30423434a7447c2617be6c0046de1ee83b5f2
Instruction ID: 1a94f07a8a7a115e7d1c046ff75c887a15d54f5f9cbbcc2e2ed8e3b49abae250
Opcode Fuzzy Hash: 1ad05a4230f8f29608a642b771e30423434a7447c2617be6c0046de1ee83b5f2
Instruction Fuzzy Hash: 1A218470200245AFEB106F65FC8FA293F69F7B5349F240825F50A912E1DF719C48BB24

Function 0050E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0050EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0050EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0050EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0050EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0050EAA7

Strings

open , xrefs: 0050EA0C
play PlayMe, xrefs: 0050EAA2
close PlayMe, xrefs: 0050EA6E, 0050EA9B
status PlayMe mode, xrefs: 0050EA58
alias PlayMe, xrefs: 0050EA36
play PlayMe wait, xrefs: 0050EA91

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 6eabcaf0e3f314ac374f1511746dbfbe0bb54dae046ecabcf54a6f944b367039
Instruction ID: d8f406910ea528a73db19f0ec0ccd40b0b39d835c3605cb2a789414c68b0d581
Opcode Fuzzy Hash: 6eabcaf0e3f314ac374f1511746dbfbe0bb54dae046ecabcf54a6f944b367039
Instruction Fuzzy Hash: C6114F21A5021979D720A7A2DC4ADFF6E7CFBE6B44F14082A7801A30D1EAB00945CAB0

Function 00505CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00505CE2
GetWindowRect.USER32(00000000,?), ref: 00505CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00505D59
GetDlgItem.USER32(?,00000002), ref: 00505D69
GetWindowRect.USER32(00000000,?), ref: 00505D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00505DCF
GetDlgItem.USER32(?,000003E9), ref: 00505DDD
GetWindowRect.USER32(00000000,?), ref: 00505DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00505E31
GetDlgItem.USER32(?,000003EA), ref: 00505E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00505E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00505E67

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: df5f69948ec092bba896b77ff816d45ec39d1de741ebb2be8d72b5b0148590c9
Instruction ID: f9c800539618f18f003f89fab0cef91d818f1fa52dca7feda00e8879f97a90c1
Opcode Fuzzy Hash: df5f69948ec092bba896b77ff816d45ec39d1de741ebb2be8d72b5b0148590c9
Instruction Fuzzy Hash: F751FFB1A00615AFDF18CF68DD89AAE7FB9FB58300F548129F916E6290E7709E04CF50

Function 004B8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004B8BE8,?,00000000,?,?,?,?,004B8BBA,00000000,?), ref: 004B8FC5

DestroyWindow.USER32(?), ref: 004B8C81
KillTimer.USER32(00000000,?,?,?,?,004B8BBA,00000000,?), ref: 004B8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 004F6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,004B8BBA,00000000,?), ref: 004F69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,004B8BBA,00000000,?), ref: 004F69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,004B8BBA,00000000), ref: 004F69D4
DeleteObject.GDI32(00000000), ref: 004F69E6

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 8d2c14503aae7d0f0db5aa0f7451f626d0bd624e202697f8829c5504e36be708
Instruction ID: 0ffe65857a4a6104de1ee9ed2aaf68c0c8e2ef098864a2a758ddce31cb3fb0c2
Opcode Fuzzy Hash: 8d2c14503aae7d0f0db5aa0f7451f626d0bd624e202697f8829c5504e36be708
Instruction Fuzzy Hash: 0161ED71401A04DFCB218F18E948BBA7BF5FB60312F14441EE1469A660CB79ACD5EF69

Function 004B9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 004B9944: GetWindowLongW.USER32(?,000000EB), ref: 004B9952

GetSysColor.USER32(0000000F), ref: 004B9862

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 66c728d6585e4d2dbfe8fd3f73dc9d80dc4a85346f81b767dca7640a280fa93a
Instruction ID: e1c4d7e8390111c8b1881c753340aeb85864a8b0836f2243cd159130a76fe509
Opcode Fuzzy Hash: 66c728d6585e4d2dbfe8fd3f73dc9d80dc4a85346f81b767dca7640a280fa93a
Instruction Fuzzy Hash: F441C431104604AFDB216F389C84BFA3B75AB16330F14465AFAA2973E1D7399C46EB25

Function 004D8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.L, xrefs: 004D903A, 004D8FD0, 004D8FF2

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID: .L
API String ID: 0-3603714933
Opcode ID: 160a82fc00ce5b267af3187d4b20314e4be468c282cdd48c4527d91b73ac8263
Instruction ID: 5d495f89181475c81ce67810e2fef424694c7fba3e6c44943544d006de5f128b
Opcode Fuzzy Hash: 160a82fc00ce5b267af3187d4b20314e4be468c282cdd48c4527d91b73ac8263
Instruction Fuzzy Hash: E6C11674A04249AFDB12DFA9D861BAEBBB1AF19310F04409FF414E7392C7389D41DB69

Function 005096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,004EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00509717
LoadStringW.USER32(00000000,?,004EF7F8,00000001), ref: 00509720

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,004EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00509742
LoadStringW.USER32(00000000,?,004EF7F8,00000001), ref: 00509745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00509866

Strings

Line %d (File "%s"):, xrefs: 0050978F
Line %d:, xrefs: 005097A0
%s (%d) : ==> %s: %s %s, xrefs: 0050984A
Error: , xrefs: 0050981D
^ ERROR, xrefs: 005097FB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 4e4c959228f33884ca16e0964df127098b3964859083188dbe8fd9745ff3d620
Instruction ID: a0b2fd0b3c6eaa8cdeaa6f3e5001819f0f3062b878ab515956624fc0ccca705d
Opcode Fuzzy Hash: 4e4c959228f33884ca16e0964df127098b3964859083188dbe8fd9745ff3d620
Instruction Fuzzy Hash: E5415D72804219AACF04FBE1CD86DEE7B78EF66745F10442AF50572092EB396F48CB65

Function 005006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 004A6B57: _wcslen.LIBCMT ref: 004A6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00500804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0050082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00500837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0050083C

Strings

SOFTWARE\Classes\, xrefs: 0050070E
\CLSID, xrefs: 00500724
\IPC$, xrefs: 00500784

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: aebb548adbbda032f65899e572022f5d49829763803fa6f4c75cb07860deae15
Instruction ID: 2696c5b0387fcca0f872c5d2de01240a5262771d7eda8782b5f5f45bfa89db6b
Opcode Fuzzy Hash: aebb548adbbda032f65899e572022f5d49829763803fa6f4c75cb07860deae15
Instruction Fuzzy Hash: DC41F872C10229ABDF15EFA5DC859EDBB78FF14754F04412AE901B31A1EB749E18CBA0

Function 00523C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00523C5C
CoInitialize.OLE32(00000000), ref: 00523C8A
CoUninitialize.OLE32 ref: 00523C94
_wcslen.LIBCMT ref: 00523D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00523DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00523ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00523F0E
CoGetObject.OLE32(?,00000000,0053FB98,?), ref: 00523F2D
SetErrorMode.KERNEL32(00000000), ref: 00523F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00523FC4
VariantClear.OLEAUT32(?), ref: 00523FD8

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 8364a4c9f92b6c5eee56b63d04015b0e4fae25864ae2c0352ebd03e2d32acff4
Instruction ID: a7f303e1adb70a2d37ba5c559a044fb0ef36d4f5dbe9948544aa0fd6bfac5639
Opcode Fuzzy Hash: 8364a4c9f92b6c5eee56b63d04015b0e4fae25864ae2c0352ebd03e2d32acff4
Instruction Fuzzy Hash: B7C15771608315AFC700DF68D88492BBBE9FF8A748F14491DF98A9B291D734EE05CB52

Function 00517A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00517AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00517B8F
SHGetDesktopFolder.SHELL32(?), ref: 00517BA3
CoCreateInstance.OLE32(0053FD08,00000000,00000001,00566E6C,?), ref: 00517BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00517C74
CoTaskMemFree.OLE32(?,?), ref: 00517CCC
SHBrowseForFolderW.SHELL32(?), ref: 00517D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00517D7A
CoTaskMemFree.OLE32(00000000), ref: 00517D81
CoTaskMemFree.OLE32(00000000), ref: 00517DD6
CoUninitialize.OLE32 ref: 00517DDC

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: ae239c82a48fba0649fda3568067120277fde277df4bb7cf4ac76d516ce1c798
Instruction ID: 82b050ac2a227a82a2a705f3640076e09178bba707cc5d3f01625138ec68f879
Opcode Fuzzy Hash: ae239c82a48fba0649fda3568067120277fde277df4bb7cf4ac76d516ce1c798
Instruction Fuzzy Hash: 77C11D75A04109AFDB14DF68C884DAEBBF9FF48318B148499E415DB361D734EE85CB90

Function 0053541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00535504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00535515
CharNextW.USER32(00000158), ref: 00535544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00535585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0053559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005355AC

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: edfda1449d0c83e5d09aaf5ad7616dc23a7033d2f6a39d3058334995ff652ae7
Instruction ID: 01c84ee4bf98b98e412f5b786496ba899deca2096dbbf92e8cd0c1390265ce89
Opcode Fuzzy Hash: edfda1449d0c83e5d09aaf5ad7616dc23a7033d2f6a39d3058334995ff652ae7
Instruction Fuzzy Hash: 6E61AC71900609AFDF11CF64CC85AFE7FB9FB19320F109545F925AB290E7749A84EB60

Function 004FFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 004FFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 004FFB08
VariantInit.OLEAUT32(?), ref: 004FFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 004FFB3A
VariantCopy.OLEAUT32(?,?), ref: 004FFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 004FFBA1
VariantClear.OLEAUT32(?), ref: 004FFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 004FFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004FFBCC
VariantClear.OLEAUT32(?), ref: 004FFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004FFBE9

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e5a8665b84ee5db8c6945a4c4b018d05549a80aac1d2a98816fd913a8865acb5
Instruction ID: f01f0c918462a579b2a10c74e74cba99f95a18089f87b0b6cbb072d64ded7d8d
Opcode Fuzzy Hash: e5a8665b84ee5db8c6945a4c4b018d05549a80aac1d2a98816fd913a8865acb5
Instruction Fuzzy Hash: 49415F35A002199FCF00DF65D8549BEBFB9FF58345F00806AE915A7361DB34E949CBA4

Function 00509C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00509CA1
GetAsyncKeyState.USER32(000000A0), ref: 00509D22
GetKeyState.USER32(000000A0), ref: 00509D3D
GetAsyncKeyState.USER32(000000A1), ref: 00509D57
GetKeyState.USER32(000000A1), ref: 00509D6C
GetAsyncKeyState.USER32(00000011), ref: 00509D84
GetKeyState.USER32(00000011), ref: 00509D96
GetAsyncKeyState.USER32(00000012), ref: 00509DAE
GetKeyState.USER32(00000012), ref: 00509DC0
GetAsyncKeyState.USER32(0000005B), ref: 00509DD8
GetKeyState.USER32(0000005B), ref: 00509DEA

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f1820fb13b228d7442c454a2cff7baefad62b4b605092afde87a84beb4264acd
Instruction ID: 2abf1fab67ace184510465ff55488f267cef4eec682982290329927f270f59ff
Opcode Fuzzy Hash: f1820fb13b228d7442c454a2cff7baefad62b4b605092afde87a84beb4264acd
Instruction Fuzzy Hash: 4C41E9749447C96EFF308764C8043BDBEA07F21344F08805ADAC6566C7DBA49DC8C7A2

Function 0052055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005205BC
inet_addr.WSOCK32(?), ref: 0052061C
gethostbyname.WSOCK32(?), ref: 00520628
IcmpCreateFile.IPHLPAPI ref: 00520636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005207B9
WSACleanup.WSOCK32 ref: 005207BF

Strings

Ping, xrefs: 00520676

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 5593e24647a419c659c81bb8af15c9d71022504b60e419ccabe214ea8f564c48
Instruction ID: 6b17e86de30da17cab5b57ea1012cae1549cff01183f176aa978879e71fb49ad
Opcode Fuzzy Hash: 5593e24647a419c659c81bb8af15c9d71022504b60e419ccabe214ea8f564c48
Instruction Fuzzy Hash: 51917935605211AFD320DF15E888B1ABFE0FF46318F1889A9E4699B6E2C734ED45CF91

Function 00528CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00528CF3

Part of subcall function 00508E54: _wcslen.LIBCMT ref: 00508E77

_wcslen.LIBCMT ref: 00528D4E
_wcslen.LIBCMT ref: 00528D9C
_wcslen.LIBCMT ref: 00528DDC
_wcslen.LIBCMT ref: 00528E6E

Strings

winapi, xrefs: 00528D96, 00528D9B
none, xrefs: 00528E65, 00528E6A
cdecl, xrefs: 00528D48, 00528D4D
stdcall, xrefs: 00528DD6, 00528DDB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: ae159241b59b2396dd98815cf8e398e2e71f622cd946b0f7b31a048f78137d8c
Instruction ID: aa2cbf5f3f3e15de1abfc1bb2b60264e444d8d2286958a1812419128fb275fb3
Opcode Fuzzy Hash: ae159241b59b2396dd98815cf8e398e2e71f622cd946b0f7b31a048f78137d8c
Instruction Fuzzy Hash: 6A51D472A011269BCF14DFACD9409BEBBA9BF66324B25422DE426E72C4DF34DD44C790

Function 0052372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00523774
CoUninitialize.OLE32 ref: 0052377F
CoCreateInstance.OLE32(?,00000000,00000017,0053FB78,?), ref: 005237D9
IIDFromString.OLE32(?,?), ref: 0052384C
VariantInit.OLEAUT32(?), ref: 005238E4
VariantClear.OLEAUT32(?), ref: 00523936

Strings

Invalid parameter, xrefs: 00523865
NULL Pointer assignment, xrefs: 0052381E
Failed to create object, xrefs: 005237E4, 0052389A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d1df004feeff939532d2bb1a97a36d19478e1fe3bdc8669ae3fca2888a88bcd4
Instruction ID: bcbd6edc6d23a42c83e1c0884942b993beb49d7604ee5e294e4911fa4f8c5a39
Opcode Fuzzy Hash: d1df004feeff939532d2bb1a97a36d19478e1fe3bdc8669ae3fca2888a88bcd4
Instruction Fuzzy Hash: 26619D71608321AFD710DF54D888B5ABFE8FF8A714F040809F9859B291D774EE48CB96

Function 00538B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004B9BB2

Part of subcall function 004B912D: GetCursorPos.USER32(?), ref: 004B9141
Part of subcall function 004B912D: ScreenToClient.USER32(00000000,?), ref: 004B915E
Part of subcall function 004B912D: GetAsyncKeyState.USER32(00000001), ref: 004B9183
Part of subcall function 004B912D: GetAsyncKeyState.USER32(00000002), ref: 004B919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00538B6B
ImageList_EndDrag.COMCTL32 ref: 00538B71
ReleaseCapture.USER32 ref: 00538B77
SetWindowTextW.USER32(?,00000000), ref: 00538C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00538C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00538CFF

Strings

p#W, xrefs: 00538C71
@GUI_DROPID, xrefs: 00538C51
@GUI_DRAGFILE, xrefs: 00538C9A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#W
API String ID: 1924731296-2307451002
Opcode ID: a34427c57d715e9d1b441c4558909bed86c1824e6d90bedcf9b3937069852680
Instruction ID: 1cf5220b3f40cbaff87e9df1b51d910df604f056653fabb6b47f8a5eb203eaaf
Opcode Fuzzy Hash: a34427c57d715e9d1b441c4558909bed86c1824e6d90bedcf9b3937069852680
Instruction Fuzzy Hash: EE517A71104304AFD704DF14DC9AFAA7BE4FB98714F000A2DF956AB2A1CB74AD48DB66

Function 00513388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005133CF

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005133F0

Strings

Line %d (File "%s"):, xrefs: 00513443, 0051345C
^ ERROR , xrefs: 0051349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00513504
Incorrect parameters to object property !, xrefs: 005134AB
Error: , xrefs: 005134D1
"%s" (%d) : ==> %s:, xrefs: 00513522

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 28caa4ef0ba8abf8fb9d3134e86907cbf4ecdbc72878fe634dcf85e13f30349e
Instruction ID: ddd900c4a691f45d423b2e47251dfbca31192f9ccdd6d0b8d10133036a560ad8
Opcode Fuzzy Hash: 28caa4ef0ba8abf8fb9d3134e86907cbf4ecdbc72878fe634dcf85e13f30349e
Instruction Fuzzy Hash: EE51D131800609AADF14EBE1CD46EEEBB79FF25744F10446AF40572092EB392F98DB64

Function 0050B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0050B5FC
_wcslen.LIBCMT ref: 0050B608
_wcslen.LIBCMT ref: 0050B64D
_wcslen.LIBCMT ref: 0050B68C
_wcslen.LIBCMT ref: 0050B6C7

Strings

REMOVE, xrefs: 0050B602, 0050B607
EXISTS, xrefs: 0050B686, 0050B68B
APPEND, xrefs: 0050B6C1, 0050B6C6
KEYS, xrefs: 0050B647, 0050B64C

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 1db5f7c13cfc998cb97f3b89e52b6b0e93ec6a96c512f19277f1dd354d0dbd4b
Instruction ID: 48ef014b00cca67275503c182449dfd1c39a26646abe45f0f60504ee8e7d69a3
Opcode Fuzzy Hash: 1db5f7c13cfc998cb97f3b89e52b6b0e93ec6a96c512f19277f1dd354d0dbd4b
Instruction Fuzzy Hash: 2841A532A001279ADB205F7DC9D15BE7FA5FBA1B98B24462AE421D72C4E736CD81C790

Function 00515393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00515416
GetLastError.KERNEL32 ref: 00515420
SetErrorMode.KERNEL32(00000000,READY), ref: 005154A7

Strings

INVALID, xrefs: 00515459
READONLY, xrefs: 00515452
READY, xrefs: 00515460, 00515468
NOTREADY, xrefs: 0051544B
UNKNOWN, xrefs: 00515444

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 14b3bc5a604ef15ca7cf6afaac65180085a0b54952e8c500077f3131bcd828f6
Instruction ID: 059beca7580130568db00309c0de80128a5ccec77786e27001c0153fb589cd9c
Opcode Fuzzy Hash: 14b3bc5a604ef15ca7cf6afaac65180085a0b54952e8c500077f3131bcd828f6
Instruction Fuzzy Hash: AC317E35A00605DFEB10DF68C484AEABFB4FB95309F54806AE405DB292E7B5DDC6CB90

Function 00533C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00533C79
SetMenu.USER32(?,00000000), ref: 00533C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00533D10
IsMenu.USER32(?), ref: 00533D24
CreatePopupMenu.USER32 ref: 00533D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00533D5B
DrawMenuBar.USER32 ref: 00533D63

Strings

F, xrefs: 00533D4E
0, xrefs: 00533C54

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 8d9e3b9ec75c9a3297a90a7504ae6bb1a1bbc93e03b3a8628e77e4459fb648ea
Instruction ID: 2285014adfdbf5a7519a4fffe083803df5cc1e9377cd4aa397e4987308fbf736
Opcode Fuzzy Hash: 8d9e3b9ec75c9a3297a90a7504ae6bb1a1bbc93e03b3a8628e77e4459fb648ea
Instruction Fuzzy Hash: 0F418779A01209AFDB14CFA4E884EAA7FB5FF59340F140429FA06A7360D730AA14DF94

Function 00501EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

Part of subcall function 00503CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00503CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00501F64
GetDlgCtrlID.USER32 ref: 00501F6F
GetParent.USER32 ref: 00501F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00501F8E
GetDlgCtrlID.USER32(?), ref: 00501F97
GetParent.USER32(?), ref: 00501FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00501FAE

Strings

ListBox, xrefs: 00501F21
ComboBox, xrefs: 00501EEC

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: eb672db4c0689d02ff7d67961a52131ede8886839906b1b10ec47ec4d2b826fe
Instruction ID: 2e5f3b12b162df403ba37323354dd940c31404aa52179b6c2153ba08a0061366
Opcode Fuzzy Hash: eb672db4c0689d02ff7d67961a52131ede8886839906b1b10ec47ec4d2b826fe
Instruction Fuzzy Hash: C621AC70900614ABCF04AFA4CC859EEBFA8FF26354B00411AF961AB2E1DB3859089B64

Function 00533A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00533A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00533AA0
GetWindowLongW.USER32(?,000000F0), ref: 00533AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00533AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00533B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00533BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00533BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00533BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00533BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00533C13

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 29f975b7a8da00dce649491caa952d7535209679109c96d45fece63460316665
Instruction ID: 9fc59aa07a750d98f656187a521d0b694c45ccee50fc2203df15d0926787a820
Opcode Fuzzy Hash: 29f975b7a8da00dce649491caa952d7535209679109c96d45fece63460316665
Instruction Fuzzy Hash: DE616C75900248AFDB10DFA8CC81EEE7BB8FF49700F104199FA15AB2A1C774AE45EB54

Function 0050B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0050B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0050A1E1,?,00000001), ref: 0050B165
GetWindowThreadProcessId.USER32(00000000), ref: 0050B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0050A1E1,?,00000001), ref: 0050B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0050B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0050A1E1,?,00000001), ref: 0050B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0050A1E1,?,00000001), ref: 0050B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0050A1E1,?,00000001), ref: 0050B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0050A1E1,?,00000001), ref: 0050B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0050A1E1,?,00000001), ref: 0050B21D

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 238368087bb4f8b621feac6a98b8d40fefed73f8f4991244ca08f820665f35f7
Instruction ID: f32cafe578e4d2cba51db7610f8b83646a7fd66140f7b5ce0a649cc1c31d350d
Opcode Fuzzy Hash: 238368087bb4f8b621feac6a98b8d40fefed73f8f4991244ca08f820665f35f7
Instruction Fuzzy Hash: 59319E75500205BFEB109F24EC89B6D7FA9BB71321F144445FA09E62D0E7B49A88FF60

Function 004D2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004D2C94

Part of subcall function 004D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004DD7D1,00000000,00000000,00000000,00000000,?,004DD7F8,00000000,00000007,00000000,?,004DDBF5,00000000), ref: 004D29DE
Part of subcall function 004D29C8: GetLastError.KERNEL32(00000000,?,004DD7D1,00000000,00000000,00000000,00000000,?,004DD7F8,00000000,00000007,00000000,?,004DDBF5,00000000,00000000), ref: 004D29F0

_free.LIBCMT ref: 004D2CA0
_free.LIBCMT ref: 004D2CAB
_free.LIBCMT ref: 004D2CB6
_free.LIBCMT ref: 004D2CC1
_free.LIBCMT ref: 004D2CCC
_free.LIBCMT ref: 004D2CD7
_free.LIBCMT ref: 004D2CE2
_free.LIBCMT ref: 004D2CED
_free.LIBCMT ref: 004D2CFB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7ce36d871b2fa0528623e741effecd265645dda3af32ce45def24a5bc05f2501
Instruction ID: 35f46ee5ae1dd6aff86f37427d871979491014b9d5e2e5680438cee9d1a45efd
Opcode Fuzzy Hash: 7ce36d871b2fa0528623e741effecd265645dda3af32ce45def24a5bc05f2501
Instruction Fuzzy Hash: 111107B6200008AFCB02EF55DA62CDD3BA5FF15344F4040ABFA485F322D6B5EE50AB94

Function 00517DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00517FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00517FC1
GetFileAttributesW.KERNEL32(?), ref: 00517FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00518005
SetCurrentDirectoryW.KERNEL32(?), ref: 00518017
SetCurrentDirectoryW.KERNEL32(?), ref: 00518060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005180B0

Strings

*.*, xrefs: 00518066

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: cf7e9ad9399bef999ebc1150cd7b41b7c2535603f4cbe325f2a52e8230435161
Instruction ID: 3a34477c4787fce85e5aab89a4cdd93863a1488a4d8a8bbf3095ab6db0372a12
Opcode Fuzzy Hash: cf7e9ad9399bef999ebc1150cd7b41b7c2535603f4cbe325f2a52e8230435161
Instruction Fuzzy Hash: C181A2725082099BEB20EF29C8449EEBBE8BF99314F144D5EF885D7250DB34DD89CB52

Function 004A5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 004A5C7A

Part of subcall function 004A5D0A: GetClientRect.USER32(?,?), ref: 004A5D30
Part of subcall function 004A5D0A: GetWindowRect.USER32(?,?), ref: 004A5D71
Part of subcall function 004A5D0A: ScreenToClient.USER32(?,?), ref: 004A5D99

GetDC.USER32 ref: 004E46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004E4708
SelectObject.GDI32(00000000,00000000), ref: 004E4716
SelectObject.GDI32(00000000,00000000), ref: 004E472B
ReleaseDC.USER32(?,00000000), ref: 004E4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004E47C4

Strings

U, xrefs: 004E4693

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c70b6c5318f7ecffd1a834e929649acec6d37864fa24d86bee4a30b309c7444c
Instruction ID: df916a91e8fce3bb8cb0bee0f6e27104510c70e1706832ac79feaa743a01f05f
Opcode Fuzzy Hash: c70b6c5318f7ecffd1a834e929649acec6d37864fa24d86bee4a30b309c7444c
Instruction Fuzzy Hash: 66710530400245DFCF218F65C984ABB7BB1FF9A326F14426BED555A26AC3388C42EF55

Function 0051359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005135E4

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

LoadStringW.USER32(00572390,?,00000FFF,?), ref: 0051360A

Strings

Line %d (File "%s"):, xrefs: 0051366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00513724
Error: , xrefs: 005136EF
^ ERROR, xrefs: 005136C9
"%s" (%d) : ==> %s:, xrefs: 00513742

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 7baa06b5a1b907036ca3c97cdb890b87f34e9a68998cea56e65a918f4a4f64df
Instruction ID: 11b05afda2af11479e8830c5d0ac4894c090aacd9b13e9db75666fd0f32637a3
Opcode Fuzzy Hash: 7baa06b5a1b907036ca3c97cdb890b87f34e9a68998cea56e65a918f4a4f64df
Instruction Fuzzy Hash: 15518F7180061AAADF15EBA1DC52EEEBF38FF25345F04412AF505721A1EB341B98DFA4

Function 0051C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0051C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0051C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0051C2CA
GetLastError.KERNEL32 ref: 0051C322
SetEvent.KERNEL32(?), ref: 0051C336
InternetCloseHandle.WININET(00000000), ref: 0051C341

Strings

, xrefs: 0051C2BB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 7269dd3adef17f190c1fe6383c8332775d4924606132a744ba031e6406bc0055
Instruction ID: d10c81c58f0b547d8494fd48964d35f418f2d83d9ddb9fc531af50f97aafb782
Opcode Fuzzy Hash: 7269dd3adef17f190c1fe6383c8332775d4924606132a744ba031e6406bc0055
Instruction Fuzzy Hash: AB317FB5540204AFE7219F658C88AAB7FFCFB59744B10891EF496E2200DB36DD889B61

Function 0050989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004E3AAF,?,?,Bad directive syntax error,0053CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005098BC
LoadStringW.USER32(00000000,?,004E3AAF,?), ref: 005098C3

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00509987

Strings

Line %d (File "%s"):, xrefs: 0050992D
., xrefs: 0050996D
Line %d:, xrefs: 00509912
Error: , xrefs: 00509955
%s (%d) : ==> %s.: %s %s, xrefs: 005098F1

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 3e2e293cbcb8ce0da8347790aa1ce861e290a8334adcbfa5d3d4a4eeab43dd9a
Instruction ID: 55352abe0a5d5392dcba7d132544e1ae1cb0826491a896ffc1ab1acaf95d5193
Opcode Fuzzy Hash: 3e2e293cbcb8ce0da8347790aa1ce861e290a8334adcbfa5d3d4a4eeab43dd9a
Instruction Fuzzy Hash: 30219132D0421AABCF11AF91CC06EEE7B35FF29705F04481AF515620A2EB759A28DB54

Function 0050209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0050214D

Strings

smallicons, xrefs: 00502115
largeicons, xrefs: 005020E1
SHELLDLL_DefView, xrefs: 005020CC
list, xrefs: 0050212F
details, xrefs: 005020FB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a93ad085244dcd71b086df11af149b7c9136e60f9a1bb3ed2836f79d36827404
Instruction ID: c992fdf1517130b4b2b66343ffa6d778474ac0325413b8eda6f04a84a396b063
Opcode Fuzzy Hash: a93ad085244dcd71b086df11af149b7c9136e60f9a1bb3ed2836f79d36827404
Instruction Fuzzy Hash: 49113A7A2C8306B9F6156221DC0FDBE7F9CEB14328F20001EFB05A50E1FE6568459618

Function 004DCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 004DCEB7
_free.LIBCMT ref: 004DCF22
_free.LIBCMT ref: 004DCF48
_free.LIBCMT ref: 004DCF71
_free.LIBCMT ref: 004DCFA9
_free.LIBCMT ref: 004DCFDA
_free.LIBCMT ref: 004DD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 004DD09C
_free.LIBCMT ref: 004DD0B5

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1708e042d3224c386fe1116cc0080ef15b318fd34472d78de025ac4ad2e63934
Instruction ID: a67350e8c8420b83ae1edd916e9c90c6e018d2dc74c757be51889aa31477b5cd
Opcode Fuzzy Hash: 1708e042d3224c386fe1116cc0080ef15b318fd34472d78de025ac4ad2e63934
Instruction Fuzzy Hash: 8C6168B1A04302AFCF21AFB598F1AAA7BE5AF11314F04416FF904973C1D67D9901E798

Function 005350D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00535186
ShowWindow.USER32(?,00000000), ref: 005351C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 005351CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 005351D1

Part of subcall function 00536FBA: DeleteObject.GDI32(00000000), ref: 00536FE6

GetWindowLongW.USER32(?,000000F0), ref: 0053520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0053521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0053524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00535287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00535296

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 0661b2b6bc0f6705b4ac2366f6335fa67d57c2eec3b84738bc1a0f03d9daf10a
Instruction ID: 8fd4a6083a8b684ee9c42344afee2de14dcc8117feec73f76a9a9298d079a3c3
Opcode Fuzzy Hash: 0661b2b6bc0f6705b4ac2366f6335fa67d57c2eec3b84738bc1a0f03d9daf10a
Instruction Fuzzy Hash: 9751E334A40A09FFEF209F24CC4AFD93F65FB05324F145406FA559A2E0E775A994EB40

Function 004B8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 004F6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004F68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004F68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004F68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004F68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,004B8874,00000000,00000000,00000000,000000FF,00000000), ref: 004F6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 004F691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,004B8874,00000000,00000000,00000000,000000FF,00000000), ref: 004F692D

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: aab401b99ecdfbc8b59246b07b439c3b1a4b51ebafd047df49581a566e155838
Instruction ID: af5eeb787671d6ceb97121080c32a31e8002bf53141076c4c3faa6b210e9570d
Opcode Fuzzy Hash: aab401b99ecdfbc8b59246b07b439c3b1a4b51ebafd047df49581a566e155838
Instruction Fuzzy Hash: C0519C70600209EFDB20CF29CC55FAA7BB5FB54750F10451EFA06972A0DB74E991EB54

Function 0051C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0051C182
GetLastError.KERNEL32 ref: 0051C195
SetEvent.KERNEL32(?), ref: 0051C1A9

Part of subcall function 0051C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0051C272
Part of subcall function 0051C253: GetLastError.KERNEL32 ref: 0051C322
Part of subcall function 0051C253: SetEvent.KERNEL32(?), ref: 0051C336
Part of subcall function 0051C253: InternetCloseHandle.WININET(00000000), ref: 0051C341

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: b66874c049b0ff3906e5e5a522b1487335d6b6ec1ed79b0f990fa04261ab999c
Instruction ID: bd9e7170adf2dd780ef4c1e66e1516b0b90d8a536f64603639282b41f4745cce
Opcode Fuzzy Hash: b66874c049b0ff3906e5e5a522b1487335d6b6ec1ed79b0f990fa04261ab999c
Instruction Fuzzy Hash: 36318375180601BFEB219FA5DC48AA7BFF9FF58300B00441DF9A692610D732E854EB60

Function 005025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00503A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00503A57
Part of subcall function 00503A3D: GetCurrentThreadId.KERNEL32 ref: 00503A5E
Part of subcall function 00503A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005025B3), ref: 00503A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00502601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00502605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0050260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00502623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00502627

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e9006b6b671b6085e0684e2ce75ea5a230e2e7d5130f704a5a6ba021f2121469
Instruction ID: 0369d625b3db8b363a0401e5992c3b4351bf018e670e54816b762e59f1c85476
Opcode Fuzzy Hash: e9006b6b671b6085e0684e2ce75ea5a230e2e7d5130f704a5a6ba021f2121469
Instruction Fuzzy Hash: 3F01D431390210BBFB2067699C8EF593F59EB9EB12F100001F318BE1D1C9E22448EA69

Function 00501803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00501449,?,?,00000000), ref: 0050180C
HeapAlloc.KERNEL32(00000000,?,00501449,?,?,00000000), ref: 00501813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00501449,?,?,00000000), ref: 00501828
GetCurrentProcess.KERNEL32(?,00000000,?,00501449,?,?,00000000), ref: 00501830
DuplicateHandle.KERNEL32(00000000,?,00501449,?,?,00000000), ref: 00501833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00501449,?,?,00000000), ref: 00501843
GetCurrentProcess.KERNEL32(00501449,00000000,?,00501449,?,?,00000000), ref: 0050184B
DuplicateHandle.KERNEL32(00000000,?,00501449,?,?,00000000), ref: 0050184E
CreateThread.KERNEL32(00000000,00000000,00501874,00000000,00000000,00000000), ref: 00501868

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3e50f988b01720766be7958efbcb5f561cf5fc7a950d3d59025ed128106d92c9
Instruction ID: c347d7cc2cdb32241bb72a316e1c8df5da4a9df7e4dc3ecf0f854b888f0084c5
Opcode Fuzzy Hash: 3e50f988b01720766be7958efbcb5f561cf5fc7a950d3d59025ed128106d92c9
Instruction Fuzzy Hash: 3801BF75240304BFE710AB65DC4DF5B3F6CEB99B11F004411FA05EB291C670D814EB20

Function 004D3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004D3F0B
__alldvrm.LIBCMT ref: 004D410C
__alldvrm.LIBCMT ref: 004D412E

Strings

}}L, xrefs: 004D3E96, 004D3EF1, 004D3F0A, 004D4090
}}L, xrefs: 004D3E8A
}}L, xrefs: 004D40CD

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}L$}}L$}}L
API String ID: 1036877536-698281817
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 45e2ebb1f3e86e47970723f64a45e89d175963d9c517ccd4b629eb0f1a41b68a
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 21A13771E003869FDB26CF18C8A1BAEBBE5EFA1354F18416FE5859B381C23C9941C759

Function 0052A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0050D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0050D501
Part of subcall function 0050D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0050D50F
Part of subcall function 0050D4DC: CloseHandle.KERNELBASE(00000000), ref: 0050D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0052A16D
GetLastError.KERNEL32 ref: 0052A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0052A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0052A268
GetLastError.KERNEL32(00000000), ref: 0052A273
CloseHandle.KERNEL32(00000000), ref: 0052A2C4

Strings

SeDebugPrivilege, xrefs: 0052A18F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 75fd46c21b38060bc5ef44ccdab20a33e59705764b021e845b90a91e86d332fd
Instruction ID: c46ceca008f41735e16bc2295b1155ddad256d18493958b66f3968418ec670d0
Opcode Fuzzy Hash: 75fd46c21b38060bc5ef44ccdab20a33e59705764b021e845b90a91e86d332fd
Instruction Fuzzy Hash: 33619A342042529FD720DF19D494F19BFA1BF56318F18848CE4668B7E2C776EC49CB92

Function 00533886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00533925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0053393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00533954
_wcslen.LIBCMT ref: 00533999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005339F4

Strings

SysListView32, xrefs: 005338F7

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 0f73debd1cf6983e05f131e5e68cb3ef61bc9d420e91137cbf6ebcd0584bf2e8
Instruction ID: e01c94bf06051c8e98a14293840a015b2a37fdace60d8f12bff47923f67797cb
Opcode Fuzzy Hash: 0f73debd1cf6983e05f131e5e68cb3ef61bc9d420e91137cbf6ebcd0584bf2e8
Instruction Fuzzy Hash: 0A41C271A00219ABEB219F64CC49FEA7FA9FF08354F10052AF958E7281D7719E84CB90

Function 0050BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0050BCFD
IsMenu.USER32(00000000), ref: 0050BD1D
CreatePopupMenu.USER32 ref: 0050BD53
GetMenuItemCount.USER32(00DD5D88), ref: 0050BDA4
InsertMenuItemW.USER32(00DD5D88,?,00000001,00000030), ref: 0050BDCC

Strings

2, xrefs: 0050BD37
0, xrefs: 0050BCA8

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 522828f38477c6d1137253b49408a5b55ed91eb761f4fe8925999547680ca399
Instruction ID: c6aa574b8e378174c94ebba8f0b19f2928733f45e7d1cc1478c64f052a00a7d6
Opcode Fuzzy Hash: 522828f38477c6d1137253b49408a5b55ed91eb761f4fe8925999547680ca399
Instruction Fuzzy Hash: 84519C72A002069BEB20DFA8D8C9BAEFFF4BF95314F148619E811A72D1D7709944CB61

Function 004C2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004C2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 004C2D53
_ValidateLocalCookies.LIBCMT ref: 004C2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 004C2E0C
_ValidateLocalCookies.LIBCMT ref: 004C2E61

Strings

&HL, xrefs: 004C2DFE, 004C2E07, 004C2E18
csm, xrefs: 004C2DF6

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HL$csm
API String ID: 1170836740-204362301
Opcode ID: e79af5f953c96cba593554029b04014fce97676312b7b6830ad85a42cad882e0
Instruction ID: e5de45abd4c67a6e52d85b62cd27078a3c1682c5ebbd1410930c3a6a12b93a06
Opcode Fuzzy Hash: e79af5f953c96cba593554029b04014fce97676312b7b6830ad85a42cad882e0
Instruction Fuzzy Hash: 7041E438A00208ABCF50DF69C944F9EBBA0BF54328F14805EE8156B392D7B99A05CB95

Function 0050C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0050C913

Strings

info, xrefs: 0050C8B4
question, xrefs: 0050C8CC
warning, xrefs: 0050C8FC
blank, xrefs: 0050C895
stop, xrefs: 0050C8E4

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8569ff7fdda9c162694d1334ad2b4032237d774a281a99de4f491b2d2dddc78e
Instruction ID: 64cfdc3222c8538ee9501138647e36455518966c890de5e7577bce111af8993e
Opcode Fuzzy Hash: 8569ff7fdda9c162694d1334ad2b4032237d774a281a99de4f491b2d2dddc78e
Instruction Fuzzy Hash: 0C112B35789306BAE7145B549C83DAE2F9CFF16718B10452FF904A62C2D7756D005268

Function 0050DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0050DE42
gethostname.WSOCK32(?,00000100), ref: 0050DE5C
gethostbyname.WSOCK32(?), ref: 0050DE69
inet_ntoa.WSOCK32(?), ref: 0050DEAB
_strcat.LIBCMT ref: 0050DEB9
WSACleanup.WSOCK32 ref: 0050DEDE

Strings

0.0.0.0, xrefs: 0050DE87

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 762bbeb4c12c197cb5c8160796f48c4de1bde0ff400fa063def6e2062fe211b8
Instruction ID: 5424abf103051137763f4630d036fe55d3d353c1337bca14dae16f7949600018
Opcode Fuzzy Hash: 762bbeb4c12c197cb5c8160796f48c4de1bde0ff400fa063def6e2062fe211b8
Instruction Fuzzy Hash: 4911E472904114ABCB20AB71DC0AEEE7FBCEB60714F00016EF405AA1D1EF758A859B70

Function 0050ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0050ED2A
_wcslen.LIBCMT ref: 0050ED3B
_wcslen.LIBCMT ref: 0050ED79
_wcslen.LIBCMT ref: 0050EDAF
_wcslen.LIBCMT ref: 0050EDDF
_wcslen.LIBCMT ref: 0050EDEF
_wcslen.LIBCMT ref: 0050EE2B
_wcslen.LIBCMT ref: 0050EE5A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: df298b16b397ca4564c617b94f00f39a0ff27ba5aaf437e9f367bf1cee4b98ad
Instruction ID: c66dd4ced25a34aeba981d2ccde7b7d527e1a4f094536d2c11d71c5c927083f0
Opcode Fuzzy Hash: df298b16b397ca4564c617b94f00f39a0ff27ba5aaf437e9f367bf1cee4b98ad
Instruction Fuzzy Hash: 47419369C1011865CB91EBB5C88AECFB7ACAF45310F50886FE518E3162EB38D245C3A9

Function 004BF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,004F682C,00000004,00000000,00000000), ref: 004BF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,004F682C,00000004,00000000,00000000), ref: 004FF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,004F682C,00000004,00000000,00000000), ref: 004FF454

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ff00ed9216d6caf96b7d52bd08b6986f4b8b6aa8a0a25064211b88bbfddf7532
Instruction ID: bda7b29af9020bac1db77a6d7b17d176e754b74b09647ebfc5816ecf8629a233
Opcode Fuzzy Hash: ff00ed9216d6caf96b7d52bd08b6986f4b8b6aa8a0a25064211b88bbfddf7532
Instruction Fuzzy Hash: 6A410671208640BBC7398B2D8C887BB7B91AF66314F14443FE54F52760C639A88DEB39

Function 00532D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00532D1B
GetDC.USER32(00000000), ref: 00532D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00532D2E
ReleaseDC.USER32(00000000,00000000), ref: 00532D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00532D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00532D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00535A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00532DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00532DE1

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 58fc187f2e1e10a4b79771ba5f2f9a7932a5f7437bf184760f2ea8387b53c2d4
Instruction ID: 56948cb2f33106d36961fb25b1cdbc4de73f404875131977458c282f101f6b3a
Opcode Fuzzy Hash: 58fc187f2e1e10a4b79771ba5f2f9a7932a5f7437bf184760f2ea8387b53c2d4
Instruction Fuzzy Hash: 77318B72201614BBEB218F54CC8AFEB3FA9FB19711F044055FE08AA291C6759C41CBA0

Function 00505622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00505637
_memcmp.LIBVCRUNTIME ref: 00505659
_memcmp.LIBVCRUNTIME ref: 00505671
_memcmp.LIBVCRUNTIME ref: 00505684
_memcmp.LIBVCRUNTIME ref: 0050569E
_memcmp.LIBVCRUNTIME ref: 005056B1
_memcmp.LIBVCRUNTIME ref: 005056C9
_memcmp.LIBVCRUNTIME ref: 005056E4

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c0d17c94fa954ab6c99d2e93462f3c229d59f6dbc57fb3398aafaa9e9320e2bf
Instruction ID: e302e2a00707379f783dc0517618a26e9671cfb1e44c7bbcd224a5233de74dd5
Opcode Fuzzy Hash: c0d17c94fa954ab6c99d2e93462f3c229d59f6dbc57fb3398aafaa9e9320e2bf
Instruction Fuzzy Hash: 5521FC75A84A09B7E31455118E92FFF3B5CBF21388F440029FD059A9D2F726ED108EE9

Function 00524FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0052502E, 00525383
Not an Object type, xrefs: 00525007

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bcc06abe27a6b3478e747a512736daf6108b1821d22053699655a16ea636ce5b
Instruction ID: 0688a7194a370b99bba6880733715db70e03c71921b5e9a6530845738403737d
Opcode Fuzzy Hash: bcc06abe27a6b3478e747a512736daf6108b1821d22053699655a16ea636ce5b
Instruction Fuzzy Hash: 1FD1D175A0061A9FDF10CFA8D884BAEBBB5FF49304F148469E915AB2C1E770DD45CB90

Function 004E1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004E17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004E15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004E1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004E17FB,?,004E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004E16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004E16FB

Part of subcall function 004D3820: RtlAllocateHeap.NTDLL(00000000,?,00571444,?,004BFDF5,?,?,004AA976,00000010,00571440,004A13FC,?,004A13C6,?,004A1129), ref: 004D3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004E1777
__freea.LIBCMT ref: 004E17A2
__freea.LIBCMT ref: 004E17AE

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: e2dbd849d4edfeaae71788f4c72f46eaeb7bc26454dc2b700b9265ba311413e3
Instruction ID: f78ca52211735c17b8af8e01ad20bd52b7139d773714c70331236836c2c110f4
Opcode Fuzzy Hash: e2dbd849d4edfeaae71788f4c72f46eaeb7bc26454dc2b700b9265ba311413e3
Instruction Fuzzy Hash: 3D91C371E40286ABDB208E76C881EEF7BB5AF45711F18465BE801E7261D73DCC40C768

Function 00524523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00524648
VariantInit.OLEAUT32(?), ref: 00524749
VariantClear.OLEAUT32(?), ref: 00524753
VariantClear.OLEAUT32(?), ref: 005247B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 005245D8, 00524706, 005247BE
Incorrect Object type in FOR..IN loop, xrefs: 0052472C

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 678541df285dd5da60806f9e71755ff58848cfc61150cf5c0aa5acfe813bb8dc
Instruction ID: 8fae26793ddcec0fd658152c129f6c52c41f3108e1976e3ad6ed76b57513a402
Opcode Fuzzy Hash: 678541df285dd5da60806f9e71755ff58848cfc61150cf5c0aa5acfe813bb8dc
Instruction Fuzzy Hash: AC91A071A00229ABDF20CFA5D884FAEBFB8FF46714F148559F515AB280D7709945CFA0

Function 00511187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0051125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00511284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0051135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00511430

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 8cb84c989211232fe085573de223cd80f705a8af113c33db17186fdb3a5bcbde
Instruction ID: 6cea0085d782b3c25bfecfedeecf4cf54c586c7efbad6b6c2dd4f287f61fa802
Opcode Fuzzy Hash: 8cb84c989211232fe085573de223cd80f705a8af113c33db17186fdb3a5bcbde
Instruction Fuzzy Hash: 50916675A00609AFEB00CF95C884BFEBBB4FF44715F104469E610EB291D7B8AC81CB98

Function 004B948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: dcb37ff8cc666905162b39ae285f94c0e4c3e5eff9a82591018345d265f54c51
Instruction ID: 4be17b3f7f9053c0195041085199e185a0efad5771149d887f185d3a8b17537b
Opcode Fuzzy Hash: dcb37ff8cc666905162b39ae285f94c0e4c3e5eff9a82591018345d265f54c51
Instruction Fuzzy Hash: 61912671944219AFCB14CFA9CC84AEEBBB8FF49320F14405AE615B7251D378AD42CB64

Function 00523947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0052396B
CharUpperBuffW.USER32(?,?), ref: 00523A7A
_wcslen.LIBCMT ref: 00523A8A
VariantClear.OLEAUT32(?), ref: 00523C1F

Part of subcall function 00510CDF: VariantInit.OLEAUT32(00000000), ref: 00510D1F
Part of subcall function 00510CDF: VariantCopy.OLEAUT32(?,?), ref: 00510D28
Part of subcall function 00510CDF: VariantClear.OLEAUT32(?), ref: 00510D34

Strings

Incorrect Parameter format, xrefs: 005239A6, 00523BA1
AUTOIT.ERROR, xrefs: 00523A80, 00523A85

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 81a3bf4b49f40750fe6892c31086100b55d3d36bc58666ecc7db5130f005bac7
Instruction ID: 65ebaab4bf2a8786c4df6b58acf335fd5cb341628f8fa8bd1ca7e2a2b423adeb
Opcode Fuzzy Hash: 81a3bf4b49f40750fe6892c31086100b55d3d36bc58666ecc7db5130f005bac7
Instruction Fuzzy Hash: 9C916A756083159FC704EF24D48496ABBE4FF8A318F04882EF88997391DB34EE45CB92

Function 00524BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0050000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004FFF41,80070057,?,?,?,0050035E), ref: 0050002B
Part of subcall function 0050000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004FFF41,80070057,?,?), ref: 00500046
Part of subcall function 0050000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004FFF41,80070057,?,?), ref: 00500054
Part of subcall function 0050000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004FFF41,80070057,?), ref: 00500064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00524C51
_wcslen.LIBCMT ref: 00524D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00524DCF
CoTaskMemFree.OLE32(?), ref: 00524DDA

Strings

NULL Pointer assignment, xrefs: 00524E23, 00524E52

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 5b6b704ee54d551c3a247099b4e2d9049556a3aed1bf774a50221cbd2c27cbc8
Instruction ID: d9fab96c3873e69806cda95c5c4861bf25b4415e603d90ef23816ae59b83a78f
Opcode Fuzzy Hash: 5b6b704ee54d551c3a247099b4e2d9049556a3aed1bf774a50221cbd2c27cbc8
Instruction Fuzzy Hash: AD912771D00229AFDF14DFA4D891AEEBBB8BF09304F10856AE915B7291DB349E44CF61

Function 005320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00532183
GetMenuItemCount.USER32(00000000), ref: 005321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005321DD
_wcslen.LIBCMT ref: 00532213
GetMenuItemID.USER32(?,?), ref: 0053224D
GetSubMenu.USER32(?,?), ref: 0053225B

Part of subcall function 00503A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00503A57
Part of subcall function 00503A3D: GetCurrentThreadId.KERNEL32 ref: 00503A5E
Part of subcall function 00503A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005025B3), ref: 00503A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005322E3

Part of subcall function 0050E97B: Sleep.KERNEL32 ref: 0050E9F3

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 0fbe7e32e4a109db613e50943d5f3b696a74085aea1f739e4743437999fe0308
Instruction ID: 0e61dd6cc19934d9cd9c3001db966036aaeb3cf2aa5c406924b252501e1d1726
Opcode Fuzzy Hash: 0fbe7e32e4a109db613e50943d5f3b696a74085aea1f739e4743437999fe0308
Instruction Fuzzy Hash: 0B717C75A00605AFCB10EF69C885AAEBBF5BF88314F148459F816EB351DB34ED41CBA0

Function 0050AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0050AEF9
GetKeyboardState.USER32(?), ref: 0050AF0E
SetKeyboardState.USER32(?), ref: 0050AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0050AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0050AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0050AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0050B020

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 08db6af13de9a07aeac161d97725393bb0583ea46bb62701dbee1b27669d2500
Instruction ID: 66377ffa68d4fe07e9e2df9913a59bd7f1dbb435d78ad9b710f9f418818a7c5d
Opcode Fuzzy Hash: 08db6af13de9a07aeac161d97725393bb0583ea46bb62701dbee1b27669d2500
Instruction Fuzzy Hash: 3151A3A0A047D63DFB368334CC99BBE7EA97B06304F088589E1D9954C3D399ACC8D751

Function 0050ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0050AD19
GetKeyboardState.USER32(?), ref: 0050AD2E
SetKeyboardState.USER32(?), ref: 0050AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0050ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0050ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0050AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0050AE38

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d0d9b673dad273d20eb580058d018dfbefb274341f5ac6b1015524f105c4bd05
Instruction ID: 62ef93b7f5397c95daf814478048a159b703774aa8049481c5a1314e20e0e818
Opcode Fuzzy Hash: d0d9b673dad273d20eb580058d018dfbefb274341f5ac6b1015524f105c4bd05
Instruction Fuzzy Hash: FA51B5A15047D63DFB378334CC95BBEBEA97B46300F088589E1D55A8C3D294EC88E762

Function 004D542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(004E3CD6,?,?,?,?,?,?,?,?,004D5BA3,?,?,004E3CD6,?,?), ref: 004D5470
__fassign.LIBCMT ref: 004D54EB
__fassign.LIBCMT ref: 004D5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,004E3CD6,00000005,00000000,00000000), ref: 004D552C
WriteFile.KERNEL32(?,004E3CD6,00000000,004D5BA3,00000000,?,?,?,?,?,?,?,?,?,004D5BA3,?), ref: 004D554B
WriteFile.KERNEL32(?,?,00000001,004D5BA3,00000000,?,?,?,?,?,?,?,?,?,004D5BA3,?), ref: 004D5584

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4aaa1b719c979d1a56f636009fdb95899d2eacb92cc2e60563047e0a30d690df
Instruction ID: 7d4d2e0fa818dc03efb9ebf3e2169d47b55fc24be54fc085d17718bd394f5eea
Opcode Fuzzy Hash: 4aaa1b719c979d1a56f636009fdb95899d2eacb92cc2e60563047e0a30d690df
Instruction Fuzzy Hash: BB51E3B0A00648AFCB11CFA8E861AEEBBF9EF19300F14411BF555E3391DB349A41CB65

Function 005210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0052304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0052307A
Part of subcall function 0052304E: _wcslen.LIBCMT ref: 0052309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00521112
WSAGetLastError.WSOCK32 ref: 00521121
WSAGetLastError.WSOCK32 ref: 005211C9
closesocket.WSOCK32(00000000), ref: 005211F9

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 91e2538f9b58c729da3d4e6b0e87a1cec482888be99abe75a8b0808fca9741d1
Instruction ID: f7bb899751636e4b39b5023855624cab7311e26a5036e1f5f57ca8f8286cd687
Opcode Fuzzy Hash: 91e2538f9b58c729da3d4e6b0e87a1cec482888be99abe75a8b0808fca9741d1
Instruction Fuzzy Hash: CE411431600614AFDB109F24D884BAABFE9FF56328F148059FD06AB2D1C774AE45CBE5

Function 0050CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0050DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0050CF22,?), ref: 0050DDFD

Part of subcall function 0050DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0050CF22,?), ref: 0050DE16

lstrcmpiW.KERNEL32(?,?), ref: 0050CF45
MoveFileW.KERNEL32(?,?), ref: 0050CF7F
_wcslen.LIBCMT ref: 0050D005
_wcslen.LIBCMT ref: 0050D01B
SHFileOperationW.SHELL32(?), ref: 0050D061

Strings

\*.*, xrefs: 0050CFF3

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 1765aefd31166b6611fe29053aac004007bc6ca989b83e8fb11c80cc2528f39c
Instruction ID: 425506546c30724c6ab84d0e0b510d3dada727dd2f6d3bb1e3efc3e767b718c1
Opcode Fuzzy Hash: 1765aefd31166b6611fe29053aac004007bc6ca989b83e8fb11c80cc2528f39c
Instruction Fuzzy Hash: 034189B18052195FDF12EFA4C985EDE7FB8BF55380F1000EAE505E7181EB34AA48CB51

Function 00532DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00532E1C
GetWindowLongW.USER32(?,000000F0), ref: 00532E4F
GetWindowLongW.USER32(?,000000F0), ref: 00532E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00532EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00532EE0
GetWindowLongW.USER32(?,000000F0), ref: 00532EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00532F0B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 58274c385c2242985ee28ab8e9d1cd9f0908aa216a59ba29e1dc8f4576f1baba
Instruction ID: 69520e05874e8c8c3ebc23714faa3237e702d90b2365e93a406fb1819ddc2be2
Opcode Fuzzy Hash: 58274c385c2242985ee28ab8e9d1cd9f0908aa216a59ba29e1dc8f4576f1baba
Instruction Fuzzy Hash: AA310335604650AFDB21CF5CEC86F653BE9FBAAB10F150164FA049F2B1CB71A885EB41

Function 00507726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00507769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0050778F
SysAllocString.OLEAUT32(00000000), ref: 00507792
SysAllocString.OLEAUT32(?), ref: 005077B0
SysFreeString.OLEAUT32(?), ref: 005077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005077DE
SysAllocString.OLEAUT32(?), ref: 005077EC

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 760e1e0074d31360d37373a0b785270229a706d8b48b5de8f0dc22eb4e1cf79a
Instruction ID: 2d2419ed09881428ff6381362f081df0169d9f5d019fcaaa5043de8c18ea5170
Opcode Fuzzy Hash: 760e1e0074d31360d37373a0b785270229a706d8b48b5de8f0dc22eb4e1cf79a
Instruction Fuzzy Hash: 2B21AE76A0421DAFDF10DFA8CC88CBF7BACFB093A47008425BA14DB290D670EC459764

Function 005077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00507842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00507868
SysAllocString.OLEAUT32(00000000), ref: 0050786B
SysAllocString.OLEAUT32 ref: 0050788C
SysFreeString.OLEAUT32 ref: 00507895
StringFromGUID2.OLE32(?,?,00000028), ref: 005078AF
SysAllocString.OLEAUT32(?), ref: 005078BD

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b39625547ee9f95879a0f70fc0f76031beb5a5ae378c35c8f5324d124ff6d603
Instruction ID: 9d65756c49aae788843515106ab39ee19a35db24ca25b71ca8de86827d048e63
Opcode Fuzzy Hash: b39625547ee9f95879a0f70fc0f76031beb5a5ae378c35c8f5324d124ff6d603
Instruction Fuzzy Hash: 7D215E32A08208AFDF109BA8DC88DAA7BACFF0D7607148125B915DB2A1D674EC55DB64

Function 005104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0051052E

Strings

nul, xrefs: 00510567

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: deb81584a10af77fbaf9665f9c583cf04dc155cad446e80597bc0300b4bac9ed
Instruction ID: 2486fbbb4cb96339e28c42a2c666aecf40daf6aa3b2830f1cebf4acc4f5df05e
Opcode Fuzzy Hash: deb81584a10af77fbaf9665f9c583cf04dc155cad446e80597bc0300b4bac9ed
Instruction Fuzzy Hash: C7217C75500305ABEF209F29D844AAA7FA5BF54724F204A19F8A1E62E0D7B099D4DF20

Function 005105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00510601

Strings

nul, xrefs: 00510639

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 77f2fdb05b9a728862bd4b85ce51626169f8a2d99c1433a9216172caaa61345c
Instruction ID: 3baca586e07900e1ddc81f3ae6ad1813e0d5a2af5a97d461229a90553d5a5c54
Opcode Fuzzy Hash: 77f2fdb05b9a728862bd4b85ce51626169f8a2d99c1433a9216172caaa61345c
Instruction Fuzzy Hash: 142165755003059BEB209F69DC44AEA7FE4BF95720F205A19F8A1E72D0D7F099E0DB50

Function 005340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004A604C
Part of subcall function 004A600E: GetStockObject.GDI32(00000011), ref: 004A6060
Part of subcall function 004A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 004A606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00534112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0053411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0053412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00534139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00534145

Strings

Msctls_Progress32, xrefs: 005340E3

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f0838e0099e5ca163386a33365488240af590d6a57fb482f9d7a45277d504e81
Instruction ID: d310d0aa557236edfe9739e6fb7121c8bfbecc0510618c81a0ff6b36587ab6f4
Opcode Fuzzy Hash: f0838e0099e5ca163386a33365488240af590d6a57fb482f9d7a45277d504e81
Instruction Fuzzy Hash: 0411B2B214021DBEEF118F64CC86EE77F5DFF18798F014111FA18A6150CA729C61DBA4

Function 004DD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004DD7A3: _free.LIBCMT ref: 004DD7CC

_free.LIBCMT ref: 004DD82D

Part of subcall function 004D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004DD7D1,00000000,00000000,00000000,00000000,?,004DD7F8,00000000,00000007,00000000,?,004DDBF5,00000000), ref: 004D29DE
Part of subcall function 004D29C8: GetLastError.KERNEL32(00000000,?,004DD7D1,00000000,00000000,00000000,00000000,?,004DD7F8,00000000,00000007,00000000,?,004DDBF5,00000000,00000000), ref: 004D29F0

_free.LIBCMT ref: 004DD838
_free.LIBCMT ref: 004DD843
_free.LIBCMT ref: 004DD897
_free.LIBCMT ref: 004DD8A2
_free.LIBCMT ref: 004DD8AD
_free.LIBCMT ref: 004DD8B8

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: e28b1b8014b55cfbe98980bfb0d8cc91044ae864a863bd9cb6d35fc2ac4bd29c
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: F41151B1A40B04AAD521BFB2CC67FCB7BDC6F10704F40086FF29DA6292DA6DB5055654

Function 0050DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0050DA74
LoadStringW.USER32(00000000), ref: 0050DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0050DA91
LoadStringW.USER32(00000000), ref: 0050DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0050DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0050DAB9

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: abe2a43db59da85c9f1d33f90e73d8a5f8c90eab0b63542c55a868d2ecb4f66b
Instruction ID: 125bb34235719f2a3180b40571d1925c58a52aea03cb7c9e503042da46b83c3e
Opcode Fuzzy Hash: abe2a43db59da85c9f1d33f90e73d8a5f8c90eab0b63542c55a868d2ecb4f66b
Instruction Fuzzy Hash: 340186F25002087FEB109BE49D89EEB3B6CF708301F400495B706F2181EA749E889F74

Function 0051096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00DCE3C8,00DCE3C8), ref: 0051097B
EnterCriticalSection.KERNEL32(00DCE3A8,00000000), ref: 0051098D
TerminateThread.KERNEL32(?,000001F6), ref: 0051099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 005109A9
CloseHandle.KERNEL32(?), ref: 005109B8
InterlockedExchange.KERNEL32(00DCE3C8,000001F6), ref: 005109C8
LeaveCriticalSection.KERNEL32(00DCE3A8), ref: 005109CF

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: bd77290145bbac2cf247566f2fa43bc66a455d007adbe5b93a5b67efa85ff292
Instruction ID: 8e87f87b8df96f9b2bb83f9db7a0320a1a91f0e30291802fe2c34dfcb4fbb67e
Opcode Fuzzy Hash: bd77290145bbac2cf247566f2fa43bc66a455d007adbe5b93a5b67efa85ff292
Instruction Fuzzy Hash: D5F03131442502BBE7415F94EE8CBD67F35FF15702F402015F141A19A1C7B494B9DF90

Function 00521C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00521DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00521DE1
WSAGetLastError.WSOCK32 ref: 00521DF2
htons.WSOCK32(?,?,?,?,?), ref: 00521EDB
inet_ntoa.WSOCK32(?), ref: 00521E8C

Part of subcall function 005039E8: _strlen.LIBCMT ref: 005039F2

Part of subcall function 00523224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0051EC0C), ref: 00523240

_strlen.LIBCMT ref: 00521F35

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 2da78f926b1fabfbc349c1d10701ace98aff37999daed7409928daa0b39e4905
Instruction ID: f00ba620b77108b9dca8d462f2afc003f1fc336c03af16a9fe7f2816f2407667
Opcode Fuzzy Hash: 2da78f926b1fabfbc349c1d10701ace98aff37999daed7409928daa0b39e4905
Instruction Fuzzy Hash: E0B11131200710AFC324DF25D885E2B7BA5BFA6318F54894DF45A5B2E2CB31ED42CBA5

Function 004A5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004A5D30
GetWindowRect.USER32(?,?), ref: 004A5D71
ScreenToClient.USER32(?,?), ref: 004A5D99
GetClientRect.USER32(?,?), ref: 004A5ED7
GetWindowRect.USER32(?,?), ref: 004A5EF8

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 3beaa10a506be9bfc780f1abe02b3bce032b262fa9838aadf05c3bb678ab94af
Instruction ID: 8f4d22fe17fc375b5f8b9a137c0bd5c9fb8b1542742502c31f5bc26e2e26259e
Opcode Fuzzy Hash: 3beaa10a506be9bfc780f1abe02b3bce032b262fa9838aadf05c3bb678ab94af
Instruction Fuzzy Hash: 84B17A78A0068ADBDB10CFA9C5407EEB7F1FF68310F14841AE8A9D7250D738AA51DB59

Function 004D01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004D00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D00D6
__allrem.LIBCMT ref: 004D00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D010B
__allrem.LIBCMT ref: 004D0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D0140

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 2b6d903c312eaf3e5d3da0c8c358c7d367becd56103ee78a9fc4dbc10bdcce14
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 1181CF76A00706AAE7209A2ACC51B6B73A9EF41328F24413FF451D7781E77DD9048798

Function 004D61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004C82D9,004C82D9,?,?,?,004D644F,00000001,00000001,8BE85006), ref: 004D6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004D644F,00000001,00000001,8BE85006,?,?,?), ref: 004D62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004D63D8
__freea.LIBCMT ref: 004D63E5

Part of subcall function 004D3820: RtlAllocateHeap.NTDLL(00000000,?,00571444,?,004BFDF5,?,?,004AA976,00000010,00571440,004A13FC,?,004A13C6,?,004A1129), ref: 004D3852

__freea.LIBCMT ref: 004D63EE
__freea.LIBCMT ref: 004D6413

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 24c93e0b845c25d3a536c84b8013510b46dfddc9c0ef67c98ea13e11069b5c43
Instruction ID: fe8f6d450db04c38050625b263e127ca57cc0f9014ba4aa835b47a6fc26a7d2b
Opcode Fuzzy Hash: 24c93e0b845c25d3a536c84b8013510b46dfddc9c0ef67c98ea13e11069b5c43
Instruction Fuzzy Hash: 0B511172600216ABDB259F64CCA1EAF7BA9EB44714F16422BFC05D6341DB3CDC44D668

Function 0052BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

Part of subcall function 0052C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0052B6AE,?,?), ref: 0052C9B5
Part of subcall function 0052C998: _wcslen.LIBCMT ref: 0052C9F1
Part of subcall function 0052C998: _wcslen.LIBCMT ref: 0052CA68
Part of subcall function 0052C998: _wcslen.LIBCMT ref: 0052CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0052BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0052BD25
RegCloseKey.ADVAPI32(00000000), ref: 0052BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0052BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0052BDF3
RegCloseKey.ADVAPI32(?), ref: 0052BDFF

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 8d5cda85457eeebc23cc962ed54bc4fc93d0953d9dfe995309776e3f5a1577e0
Instruction ID: 11b1b5fee4b14fa1eb78299474b86b0a14b7ee4d33ec7ad44b93c9ba538204f0
Opcode Fuzzy Hash: 8d5cda85457eeebc23cc962ed54bc4fc93d0953d9dfe995309776e3f5a1577e0
Instruction Fuzzy Hash: 4A81CF70208241EFD714DF24D885E6ABBE9FF86308F14895DF4598B2A2DB31ED45CB92

Function 004FF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 004FF7B9
SysAllocString.OLEAUT32(00000001), ref: 004FF860
VariantCopy.OLEAUT32(004FFA64,00000000), ref: 004FF889
VariantClear.OLEAUT32(004FFA64), ref: 004FF8AD
VariantCopy.OLEAUT32(004FFA64,00000000), ref: 004FF8B1
VariantClear.OLEAUT32(?), ref: 004FF8BB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 631615028cd758aea7ce3a69fbd6795faf97644be144701ed0e0550dfa6566c0
Instruction ID: 451fa2a16f966aedafb0a923444de318e63366814b8e73ad85c0338ecb79abb4
Opcode Fuzzy Hash: 631615028cd758aea7ce3a69fbd6795faf97644be144701ed0e0550dfa6566c0
Instruction Fuzzy Hash: F5510B71500314BBCF10AB66D895B39B3A8EF55314F14446BEA05DF291D7B88C48D76F

Function 0051910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 004A7620: _wcslen.LIBCMT ref: 004A7625

Part of subcall function 004A6B57: _wcslen.LIBCMT ref: 004A6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005194E5
_wcslen.LIBCMT ref: 00519506
_wcslen.LIBCMT ref: 0051952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00519585

Strings

X, xrefs: 00519412

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a8ecf201fe636404cac94e064502195302ac019ba24bf9ae00d570f04f1f7886
Instruction ID: 21aef8f837d0cf5eba5125e888c5ca21d3718863743a4f96988d213af43ea8ff
Opcode Fuzzy Hash: a8ecf201fe636404cac94e064502195302ac019ba24bf9ae00d570f04f1f7886
Instruction Fuzzy Hash: D7E1F5315043009FD724EF25C891AAEBBE1FF95318F04896DF8999B2A2DB34DD44CB96

Function 004B920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 004B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004B9BB2

BeginPaint.USER32(?,?,?), ref: 004B9241
GetWindowRect.USER32(?,?), ref: 004B92A5
ScreenToClient.USER32(?,?), ref: 004B92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004B92D3
EndPaint.USER32(?,?,?,?,?), ref: 004B9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004F71EA

Part of subcall function 004B9339: BeginPath.GDI32(00000000), ref: 004B9357

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 0ac61421dcf54e5765d2524b2890fc90827ed6d93a70f85d618fe9e8cf5cc11f
Instruction ID: b6ceab3bd13764d0ca95ac27a1b1eaa4aa54929103adf13a08956c61228d6b06
Opcode Fuzzy Hash: 0ac61421dcf54e5765d2524b2890fc90827ed6d93a70f85d618fe9e8cf5cc11f
Instruction Fuzzy Hash: 3441A131104200AFD711DF28DC85FBA7BE8EB59324F14066AFA54972A1C7399C4AEB66

Function 005107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0051080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00510847
EnterCriticalSection.KERNEL32(?), ref: 00510863
LeaveCriticalSection.KERNEL32(?), ref: 005108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00510921

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c1e7765e17a38a7ce3ef7d92bf970f950e035a5650690dcdeb515d4cc076bbc2
Instruction ID: 6c10053987b33f00d0ea10007820e1011b065081284932fd8fa8ed5bfa7024ea
Opcode Fuzzy Hash: c1e7765e17a38a7ce3ef7d92bf970f950e035a5650690dcdeb515d4cc076bbc2
Instruction Fuzzy Hash: 2641BC71900205EBEF04AF65DC81AAA7BB8FF04304F1040A9FD04AB297D774DEA4DBA4

Function 005381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,004FF3AB,00000000,?,?,00000000,?,004F682C,00000004,00000000,00000000), ref: 0053824C
EnableWindow.USER32(?,00000000), ref: 00538272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005382D1
ShowWindow.USER32(?,00000004), ref: 005382E5
EnableWindow.USER32(?,00000001), ref: 0053830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0053832F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e42e9e655227e4e5b899f2a6037e804cbb173ff9531e1148314877275c9d2321
Instruction ID: f5486a9e81933a3ce49e7f9d2700da96a71bc30a40d7857fcf5ba379aa2e7b1f
Opcode Fuzzy Hash: e42e9e655227e4e5b899f2a6037e804cbb173ff9531e1148314877275c9d2321
Instruction Fuzzy Hash: 29419234601B44AFDB19CF19DC99BB57FE0FB5AB14F184169FA088F262CB31A845DB50

Function 00504C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00504C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00504CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00504CEA
_wcslen.LIBCMT ref: 00504D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00504D10
_wcsstr.LIBVCRUNTIME ref: 00504D1A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 0476b6c4869d69eaf3fc06c1eaa822697b6719f8f644999afc854ffe6325310c
Instruction ID: 63e0c4a92f6e19ea105362c9af7af9446f0901a773e8f04e06ab6279b1bac8d4
Opcode Fuzzy Hash: 0476b6c4869d69eaf3fc06c1eaa822697b6719f8f644999afc854ffe6325310c
Instruction Fuzzy Hash: D121D7B22042107BEB155B3A9C4AE7F7F9CEF55754F10402EF909DE191DA65DD009BA0

Function 0051581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 004A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004A3A97,?,?,004A2E7F,?,?,?,00000000), ref: 004A3AC2

_wcslen.LIBCMT ref: 0051587B
CoInitialize.OLE32(00000000), ref: 00515995
CoCreateInstance.OLE32(0053FCF8,00000000,00000001,0053FB68,?), ref: 005159AE
CoUninitialize.OLE32 ref: 005159CC

Strings

.lnk, xrefs: 00515876, 005158C1, 00515985

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: e20bbe277e063b6dbb0bf08ba1f6c1421bda2f340e1dd76a038137ffb90c14e5
Instruction ID: 99d579a5f612682988d3b3808a13f2925813780e32db54138610dbddc2fe8fad
Opcode Fuzzy Hash: e20bbe277e063b6dbb0bf08ba1f6c1421bda2f340e1dd76a038137ffb90c14e5
Instruction Fuzzy Hash: 25D16574608601DFD714DF25C480A6ABBE1FF99714F14485EF88A9B361EB31EC85CB92

Function 0050175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00500FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00500FCA
Part of subcall function 00500FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00500FD6
Part of subcall function 00500FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00500FE5
Part of subcall function 00500FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00500FEC
Part of subcall function 00500FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00501002

GetLengthSid.ADVAPI32(?,00000000,00501335), ref: 005017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005017BA
HeapAlloc.KERNEL32(00000000), ref: 005017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005017DA
GetProcessHeap.KERNEL32(00000000,00000000,00501335), ref: 005017EE
HeapFree.KERNEL32(00000000), ref: 005017F5

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 8f4211489079c13443171fd8e52626668cef558011d5fe8963a6524f9039a8d5
Instruction ID: 52f6f79012f4b47ae4beac5ad0685e17e47ec814113dd0f4135a9a7fd66bc415
Opcode Fuzzy Hash: 8f4211489079c13443171fd8e52626668cef558011d5fe8963a6524f9039a8d5
Instruction Fuzzy Hash: B411BE32500605FFDB189FA4CC49BAE7FE9FB55355F104018F481E7290C735A944EB65

Function 005014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00501506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00501515
CloseHandle.KERNEL32(00000004), ref: 00501520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0050154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00501563

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 10b9e438c7b96f71a12c91d8bc029028e21241b9a61905dacb7a8d807d06e02f
Instruction ID: 0fb1d772bd8b4a7315d7b02b6729f04d26bea68ee72dbd3d1289dad4981ea19b
Opcode Fuzzy Hash: 10b9e438c7b96f71a12c91d8bc029028e21241b9a61905dacb7a8d807d06e02f
Instruction Fuzzy Hash: 4E112672500249ABDF118FA8DD49FDE7FA9FF48748F044029FA05A61A0C3758E68EB65

Function 004C3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004C3379,004C2FE5), ref: 004C3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004C339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004C33B7
SetLastError.KERNEL32(00000000,?,004C3379,004C2FE5), ref: 004C3409

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 77ecd46c30f02e9709eb50e5034637e9bc5a4996ee5bc11243a0fd5844eb17a3
Instruction ID: 6052f7df049d840bba22d679b4205c19b2f20de57d4edc1b6fe2c980c1d82348
Opcode Fuzzy Hash: 77ecd46c30f02e9709eb50e5034637e9bc5a4996ee5bc11243a0fd5844eb17a3
Instruction Fuzzy Hash: 4101D63A30C3116A96B42B797C95F6B2E54D72577F320822FF410812F1EE595D05614C

Function 004D2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004D5686,004E3CD6,?,00000000,?,004D5B6A,?,?,?,?,?,004CE6D1,?,00568A48), ref: 004D2D78
_free.LIBCMT ref: 004D2DAB
_free.LIBCMT ref: 004D2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,004CE6D1,?,00568A48,00000010,004A4F4A,?,?,00000000,004E3CD6), ref: 004D2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,004CE6D1,?,00568A48,00000010,004A4F4A,?,?,00000000,004E3CD6), ref: 004D2DEC
_abort.LIBCMT ref: 004D2DF2

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: acade5f77034f75de0ae2d032e43c1b1984633c86e4e006153642972ef95dcfa
Instruction ID: da680cd3318c88d04d051d91cb1643e89edd3b1a7bf77001cb3ad8cdc4673632
Opcode Fuzzy Hash: acade5f77034f75de0ae2d032e43c1b1984633c86e4e006153642972ef95dcfa
Instruction Fuzzy Hash: C2F0F93150460027C21227397E36A5B29566FF27A5F24041FF424D33D1EEFC88056229

Function 00538A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 004B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004B9693
Part of subcall function 004B9639: SelectObject.GDI32(?,00000000), ref: 004B96A2
Part of subcall function 004B9639: BeginPath.GDI32(?), ref: 004B96B9
Part of subcall function 004B9639: SelectObject.GDI32(?,00000000), ref: 004B96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00538A4E
LineTo.GDI32(?,00000003,00000000), ref: 00538A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00538A70
LineTo.GDI32(?,00000000,00000003), ref: 00538A80
EndPath.GDI32(?), ref: 00538A90
StrokePath.GDI32(?), ref: 00538AA0

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2e218535d5b89c0085b6d220bc5309605f41f3a1739192afeb4aa1270cd056b4
Instruction ID: 22f56c85a3d699d8370805db229d8ee4adbbb26386bc2651e205e1ea325160dc
Opcode Fuzzy Hash: 2e218535d5b89c0085b6d220bc5309605f41f3a1739192afeb4aa1270cd056b4
Instruction Fuzzy Hash: 73111B7600014CFFDF129F94DC88EAA7F6CEB18354F008052BA19AA2A1C7719D59EFA0

Function 005051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00505218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00505229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00505230
ReleaseDC.USER32(00000000,00000000), ref: 00505238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0050524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00505261

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f440f46c0e3a36ca8d6c7bafe68b8ec4241594bda1234c515ce7ca5ce15d0e8d
Instruction ID: 8c7d648e11cf514f35eb97284484d9e43b6a93411e7514f0bc9f834c262d101a
Opcode Fuzzy Hash: f440f46c0e3a36ca8d6c7bafe68b8ec4241594bda1234c515ce7ca5ce15d0e8d
Instruction Fuzzy Hash: 5D014F75A00719BBEB109BE69C49A5EBFB8FF58751F044066FA04E7391D6709804DFA0

Function 004A1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 004A1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 004A1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004A1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004A1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 004A1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 004A1C22

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: a804534593292eed471e983bd71540bc2743bd25d39f01cb2693f9c0ceb5950c
Instruction ID: 004f9b85d94751e33f26da9cb4dc35a745f0ed582e025089701c29a316f1ad39
Opcode Fuzzy Hash: a804534593292eed471e983bd71540bc2743bd25d39f01cb2693f9c0ceb5950c
Instruction Fuzzy Hash: D4016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C4BA41C7F5A864CBE5

Function 0050EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0050EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0050EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0050EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0050EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0050EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0050EB75

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0a667eb9c0964a1d1f700b1a509d40e8c1e57cb83621af8fe2cf7ac3604ed58f
Instruction ID: c80b6dfa533636f0b71940d54d6c77e783fba5d87f7c07b1397d5221d9ca9d9b
Opcode Fuzzy Hash: 0a667eb9c0964a1d1f700b1a509d40e8c1e57cb83621af8fe2cf7ac3604ed58f
Instruction Fuzzy Hash: A7F05E72240158BBE7215B669C0EEEF3E7CEFDBB11F004158F601E5291D7A05A05E7B5

Function 004F7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 004F7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 004F7469
GetWindowDC.USER32(?), ref: 004F7475
GetPixel.GDI32(00000000,?,?), ref: 004F7484
ReleaseDC.USER32(?,00000000), ref: 004F7496
GetSysColor.USER32(00000005), ref: 004F74B0

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 64fb3e753cba368998079016fe64ad2f9582972409330c81b4289870d844dbb4
Instruction ID: 8d337cffaa8d3ba0a5b6c69ea427553ecfcf33aa9f7e8961f2ab0f6b4066fbc0
Opcode Fuzzy Hash: 64fb3e753cba368998079016fe64ad2f9582972409330c81b4289870d844dbb4
Instruction Fuzzy Hash: 4A018B31400609EFEB105FA8DC09BAA7FB5FB14311F1000A1FA16A22A0CB351E55FB11

Function 00501874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0050187F
UnloadUserProfile.USERENV(?,?), ref: 0050188B
CloseHandle.KERNEL32(?), ref: 00501894
CloseHandle.KERNEL32(?), ref: 0050189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005018A5
HeapFree.KERNEL32(00000000), ref: 005018AC

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 0024ec10a5a33081d56148640608fc361862c80507b2cc8fa5906394fab8fa94
Instruction ID: 55d97d302e576f7da309f4398e8612e8c847ca7999c88780bb4264d84b014cc8
Opcode Fuzzy Hash: 0024ec10a5a33081d56148640608fc361862c80507b2cc8fa5906394fab8fa94
Instruction Fuzzy Hash: 3BE0E536004101BBDB015FA1ED0C90ABF39FF69B22B108624F225A1270CB329434FF50

Function 004ABBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004ABEB3

Strings

D%W, xrefs: 004ABCA2
D%W, xrefs: 004ABE9A
D%W, xrefs: 004ABDED, 004ABD91, 004ABD1B
D%WD%W, xrefs: 004ABCA5

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%W$D%W$D%W$D%WD%W
API String ID: 1385522511-699628468
Opcode ID: 16d1aa515d3b19747ed008874ebc606ed7777837e44ebe451a9593bc31fd7b6b
Instruction ID: 58f9df65710f6ef76f991a450ea63a73206dfe6f3b18c8ead534578ad04a093c
Opcode Fuzzy Hash: 16d1aa515d3b19747ed008874ebc606ed7777837e44ebe451a9593bc31fd7b6b
Instruction Fuzzy Hash: 83914C75A00206CFCB14CF59C090AAAB7F1FF6A310F24816ED945AB352D739AD81DBD4

Function 00527B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 004C0242: EnterCriticalSection.KERNEL32(0057070C,00571884,?,?,004B198B,00572518,?,?,?,004A12F9,00000000), ref: 004C024D
Part of subcall function 004C0242: LeaveCriticalSection.KERNEL32(0057070C,?,004B198B,00572518,?,?,?,004A12F9,00000000), ref: 004C028A

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

Part of subcall function 004C00A3: __onexit.LIBCMT ref: 004C00A9

__Init_thread_footer.LIBCMT ref: 00527BFB

Part of subcall function 004C01F8: EnterCriticalSection.KERNEL32(0057070C,?,?,004B8747,00572514), ref: 004C0202
Part of subcall function 004C01F8: LeaveCriticalSection.KERNEL32(0057070C,?,004B8747,00572514), ref: 004C0235

Strings

G, xrefs: 00527C7F
5, xrefs: 00527C78
Variable must be of type 'Object'., xrefs: 00527C3A
+TO, xrefs: 00527E2E

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TO$5$G$Variable must be of type 'Object'.
API String ID: 535116098-707387787
Opcode ID: e9c3bc55c7142a63c429f7b65c0b92446ecb7091e137d9915cae875d6fae8c20
Instruction ID: 261648412d77c21255f531d0f9582a334252d339e85d2ccf98fe82a2cdad4376
Opcode Fuzzy Hash: e9c3bc55c7142a63c429f7b65c0b92446ecb7091e137d9915cae875d6fae8c20
Instruction Fuzzy Hash: A891AB70A04219EFCB04EF94E894DADBBB1FF4A304F14845DF806AB292DB31AE41DB51

Function 0050C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A7620: _wcslen.LIBCMT ref: 004A7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0050C6EE
_wcslen.LIBCMT ref: 0050C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0050C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0050C7CA

Strings

0, xrefs: 0050C6AF

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 85b8c2527ede9a6a9c10e22ec636ba3236b4ccc6e7b80dbaf4b519f42977087f
Instruction ID: 71df39e5a8c5b2701da15b26bdfff544c2895dbed84aa9ef9cf5b7f14e2baad6
Opcode Fuzzy Hash: 85b8c2527ede9a6a9c10e22ec636ba3236b4ccc6e7b80dbaf4b519f42977087f
Instruction Fuzzy Hash: 6351BC716043009BD7649F28C885BAE7FE8FF9A314F040B2EF995E21E0DB64D9089B56

Function 0052AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0052AEA3

Part of subcall function 004A7620: _wcslen.LIBCMT ref: 004A7625

GetProcessId.KERNEL32(00000000), ref: 0052AF38
CloseHandle.KERNEL32(00000000), ref: 0052AF67

Strings

@, xrefs: 0052AE72
<, xrefs: 0052AE6B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ad3f3e98a9dec53788023d3f30345337c9e930af8bbe9f4c23b7ac133254f3aa
Instruction ID: aadc42891a9f705ceaeced62b2b851850b76b64c211686d10142d2c57468b4db
Opcode Fuzzy Hash: ad3f3e98a9dec53788023d3f30345337c9e930af8bbe9f4c23b7ac133254f3aa
Instruction Fuzzy Hash: 5D718975A00624DFCB14EF55D480A9EBBF4BF0A308F04849EE816AB392C778ED45CB95

Function 0050719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00507206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0050723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0050724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005072CF

Strings

DllGetClassObject, xrefs: 00507242

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: aea6bd80d312babd7f3be1ed30afdad5991b2deeb70e438274988c737956165c
Instruction ID: d1cefbc49aa23771fee0a03148e30126207f49450e26ad5b8ee60593f86163d7
Opcode Fuzzy Hash: aea6bd80d312babd7f3be1ed30afdad5991b2deeb70e438274988c737956165c
Instruction Fuzzy Hash: 17418F75A04209EFDB15CF54C884A9E7FA9FF48310F1584A9BD059F28AD7B0EE44DBA0

Function 00533D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00533E35
IsMenu.USER32(?), ref: 00533E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00533E92
DrawMenuBar.USER32 ref: 00533EA5

Strings

0, xrefs: 00533D89

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 546e255331d30fc001350a9bea7892cbdc47e2d26c1e798428400ab457db6393
Instruction ID: 482beae9ba2bf9f0803bd015a546e744d492b3193bd964ac4f6666e660a1ac05
Opcode Fuzzy Hash: 546e255331d30fc001350a9bea7892cbdc47e2d26c1e798428400ab457db6393
Instruction Fuzzy Hash: A1414575A01209AFDB10DF64D884EAABBB9FF49354F044129E905AB350D730AE55EF60

Function 00501DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

Part of subcall function 00503CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00503CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00501E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00501E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00501EA9

Part of subcall function 004A6B57: _wcslen.LIBCMT ref: 004A6B6A

Strings

ListBox, xrefs: 00501E25
ComboBox, xrefs: 00501DF0

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 145f78fd7b3019cdadc531e76b6f9baa49d46ec1c1a242a27acd83f600e5e2ef
Instruction ID: efdf822df6cfa625db4eff740ba83936402bd4b5865862f075b44aa54d54a1c3
Opcode Fuzzy Hash: 145f78fd7b3019cdadc531e76b6f9baa49d46ec1c1a242a27acd83f600e5e2ef
Instruction Fuzzy Hash: A2212371A00504AADB14AB65CC46CFFBFBDFF563A4B14411EF826A72E0DB384D0A9624

Function 00532F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00532F8D
LoadLibraryW.KERNEL32(?), ref: 00532F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00532FA9
DestroyWindow.USER32(?), ref: 00532FB1

Strings

SysAnimate32, xrefs: 00532F68

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 28a0443efc7032ab9b90a10b1f6addf72b5ae21e56a27ca391004a4bbf09bdf1
Instruction ID: d733e5b1a6436f4b9d146eae9a0d11c1cc3d8579919235b68d6fa62e46cfb88d
Opcode Fuzzy Hash: 28a0443efc7032ab9b90a10b1f6addf72b5ae21e56a27ca391004a4bbf09bdf1
Instruction Fuzzy Hash: 5B21C071204605ABEB104F64DC86EBB7BBDFF59368F100618F954D6190D771DC91A760

Function 004C4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004C4D1E,004D28E9,?,004C4CBE,004D28E9,005688B8,0000000C,004C4E15,004D28E9,00000002), ref: 004C4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004C4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,004C4D1E,004D28E9,?,004C4CBE,004D28E9,005688B8,0000000C,004C4E15,004D28E9,00000002,00000000), ref: 004C4DC3

Strings

CorExitProcess, xrefs: 004C4D98
mscoree.dll, xrefs: 004C4D86

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 89aa44add5d80d7385c67ec5f04d1a3a4d9610fcfd70279cd2fb36ec290069e1
Instruction ID: f7afa786729c6fe3e58f63b0576733490d0e1e42e5ce41c68fdfb02f18da0542
Opcode Fuzzy Hash: 89aa44add5d80d7385c67ec5f04d1a3a4d9610fcfd70279cd2fb36ec290069e1
Instruction Fuzzy Hash: C0F0AF39A00208BBDB509F90DC09FEEBFB4EF54715F0000A9F906A63A0CB745A44EB95

Function 004A4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,004A4EDD,?,00571418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004A4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004A4EAE
FreeLibrary.KERNEL32(00000000,?,?,004A4EDD,?,00571418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004A4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 004A4EA8
kernel32.dll, xrefs: 004A4E94

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: d4c781656a9bbcc5afde37fcd0be2b91531a7aec67b8295639c41ea79f2649d0
Instruction ID: f73da69336b937ffd5a22a32ae1574303b858b0e713e8abbeeb7aa0708dbe7c8
Opcode Fuzzy Hash: d4c781656a9bbcc5afde37fcd0be2b91531a7aec67b8295639c41ea79f2649d0
Instruction Fuzzy Hash: EAE08636A016225BD22117256C18A5F6E54AFE3B63B050116FC01F3300DBA4CD05A2E4

Function 004A4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,004E3CDE,?,00571418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004A4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004A4E74
FreeLibrary.KERNEL32(00000000,?,?,004E3CDE,?,00571418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004A4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 004A4E6E
kernel32.dll, xrefs: 004A4E5B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 03c1db25dcb4add31be38974b31a7687a8f4de29fc3b990e4ea26307610fd9d3
Instruction ID: ea658c250665f79d72f2f690fff0d4d829d627205c10e7f560e2452bea312421
Opcode Fuzzy Hash: 03c1db25dcb4add31be38974b31a7687a8f4de29fc3b990e4ea26307610fd9d3
Instruction Fuzzy Hash: 4DD0C2365026215786221B247C18D8F6E18BFE3B213050112B801F7310CFA4CD01E6D4

Function 00512947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00512C05
DeleteFileW.KERNEL32(?), ref: 00512C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00512C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00512CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00512CC0

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 8fc4aa8be003e0c43bb3e2cbca00262ee40923ef227dda017e0e87311ec19b60
Instruction ID: 05a7d326caea089a1087901ec25236d256186eedfd49c8efecfbf53d38b2a259
Opcode Fuzzy Hash: 8fc4aa8be003e0c43bb3e2cbca00262ee40923ef227dda017e0e87311ec19b60
Instruction Fuzzy Hash: 20B18E71D00119ABDF10DBA5CD89EDEBBBDFF59344F0040AAF609E6141EA349E948FA0

Function 0052A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0052A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0052A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0052A468
CloseHandle.KERNEL32(?), ref: 0052A63D

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 240b4568f06201be7a89fb7e4a54f81ceb7de9e1ab9bad2d1c10aa626a183727
Instruction ID: 6a452c60ad567bf63cf2e25b5082a5c9df01d66684313ef79f3425a6e37f12e4
Opcode Fuzzy Hash: 240b4568f06201be7a89fb7e4a54f81ceb7de9e1ab9bad2d1c10aa626a183727
Instruction Fuzzy Hash: 65A1CF71604300AFD720DF25D882F2ABBE1AF95718F14881DF95A9B3D2D7B4EC418B92

Function 004DBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00543700), ref: 004DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0057121C,000000FF,00000000,0000003F,00000000,?,?), ref: 004DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00571270,000000FF,?,0000003F,00000000,?), ref: 004DBC36
_free.LIBCMT ref: 004DBB7F

Part of subcall function 004D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004DD7D1,00000000,00000000,00000000,00000000,?,004DD7F8,00000000,00000007,00000000,?,004DDBF5,00000000), ref: 004D29DE
Part of subcall function 004D29C8: GetLastError.KERNEL32(00000000,?,004DD7D1,00000000,00000000,00000000,00000000,?,004DD7F8,00000000,00000007,00000000,?,004DDBF5,00000000,00000000), ref: 004D29F0

_free.LIBCMT ref: 004DBD4B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 9acc87536c0af8ceaad89aeed01ba95091b69843d3f262e6a60a7199f2fa28b7
Instruction ID: 9b9b2d0be9ee151b03938e677a5a143f95123539b4c7286bbc54007237f2e585
Opcode Fuzzy Hash: 9acc87536c0af8ceaad89aeed01ba95091b69843d3f262e6a60a7199f2fa28b7
Instruction Fuzzy Hash: 4B512871900208EFCB10DF6A9C619AEBBB8FF50714B11426FE454D7391EB749E44ABD8

Function 0050E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0050DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0050CF22,?), ref: 0050DDFD

Part of subcall function 0050DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0050CF22,?), ref: 0050DE16

Part of subcall function 0050E199: GetFileAttributesW.KERNEL32(?,0050CF95), ref: 0050E19A

lstrcmpiW.KERNEL32(?,?), ref: 0050E473
MoveFileW.KERNEL32(?,?), ref: 0050E4AC
_wcslen.LIBCMT ref: 0050E5EB
_wcslen.LIBCMT ref: 0050E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0050E650

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: a0e4575f1f7f1c79a283d9cb1ff3379e1e494e99345b6cea2bf2dbf636107f6a
Instruction ID: 39d2a050aa5ae1e4ee2b75842fc07ef5354295bc2c7c191867345f0c33e21eb6
Opcode Fuzzy Hash: a0e4575f1f7f1c79a283d9cb1ff3379e1e494e99345b6cea2bf2dbf636107f6a
Instruction Fuzzy Hash: 8151C1B20083455BC764EBA0DC81ADFB7ECAF95344F104D2EF589D3191EF35A688876A

Function 0052B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

Part of subcall function 0052C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0052B6AE,?,?), ref: 0052C9B5
Part of subcall function 0052C998: _wcslen.LIBCMT ref: 0052C9F1
Part of subcall function 0052C998: _wcslen.LIBCMT ref: 0052CA68
Part of subcall function 0052C998: _wcslen.LIBCMT ref: 0052CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0052BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0052BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0052BB63
RegCloseKey.ADVAPI32(?,?), ref: 0052BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0052BBB3

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 6f1597e03df1b417f3b389dc45b0e2005cafcc4c3c487f6e01b53833038b074f
Instruction ID: da0b422becb2bc7c4e88408962d3624c7bcddf7c5e893ea422e8f46ce2f6aee4
Opcode Fuzzy Hash: 6f1597e03df1b417f3b389dc45b0e2005cafcc4c3c487f6e01b53833038b074f
Instruction Fuzzy Hash: B161D231208241EFD714DF14D494E2ABBE5FF86348F14895DF4998B2A2CB35ED45CB92

Function 00508BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00508BCD
VariantClear.OLEAUT32 ref: 00508C3E
VariantClear.OLEAUT32 ref: 00508C9D
VariantClear.OLEAUT32(?), ref: 00508D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00508D3B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 67027d7bc22bb73cf38aa6faa8d34c2436268ef1d5172119f94205dddde989be
Instruction ID: f6fc9e4cfb0d0a918fa4c3c28f933af3eed9699f9633ef286f89061fd803bade
Opcode Fuzzy Hash: 67027d7bc22bb73cf38aa6faa8d34c2436268ef1d5172119f94205dddde989be
Instruction Fuzzy Hash: 275169B5A00619EFCB10CF68C884EAABBF8FF89310B158559E945EB350E730E911CF90

Function 00518AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00518BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00518BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00518C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00518C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00518C5F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: b5f96a0e5ec416aed4ffc9cb18b0e3cad0e8edbecc66055c09e9de4558f1f1b6
Instruction ID: 48ed5a2f0088bba1a4a19a516ae52ba986955db292bf5c9ad6d5741f93631ecf
Opcode Fuzzy Hash: b5f96a0e5ec416aed4ffc9cb18b0e3cad0e8edbecc66055c09e9de4558f1f1b6
Instruction Fuzzy Hash: 40515C35A00214EFDB10DF65C881AAEBBF5FF49318F088459E849AB362DB35ED51CB94

Function 00528EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00528F40
GetProcAddress.KERNEL32(00000000,?), ref: 00528FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00528FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00529032
FreeLibrary.KERNEL32(00000000), ref: 00529052

Part of subcall function 004BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00511043,?,75C0E610), ref: 004BF6E6
Part of subcall function 004BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,004FFA64,00000000,00000000,?,?,00511043,?,75C0E610,?,004FFA64), ref: 004BF70D

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 9e55167907ee8d8bd679d393f91ebf2431d486d3aca77a60a6bbda1877fe18e0
Instruction ID: afa2967b487786e0d057880b6ae137f574b78e0f72714e1dcbdb4539bec87efb
Opcode Fuzzy Hash: 9e55167907ee8d8bd679d393f91ebf2431d486d3aca77a60a6bbda1877fe18e0
Instruction Fuzzy Hash: 46513B35601215DFC711DF55C4948ADBBF1FF5A358F088099E809AB3A2DB35ED85CB90

Function 00536B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00536C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00536C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00536C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0051AB79,00000000,00000000), ref: 00536C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00536CC7

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 1f8606d3f36ee6eb02067a52a8264d4c44cf76c82dcd4275727bbc7d9512c7bd
Instruction ID: f92e567ea896ef7e08cfcf4c033f0455083949e495e2eeb2b14e124a1d237866
Opcode Fuzzy Hash: 1f8606d3f36ee6eb02067a52a8264d4c44cf76c82dcd4275727bbc7d9512c7bd
Instruction Fuzzy Hash: 7A419F35A04108BFDB24CF28CC59FA9BFA5FB09350F15926CE999AB2A0C371ED41DA50

Function 004D2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004D20C3
_free.LIBCMT ref: 004D20E3

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8278a529b8511cd5b4d8d439836626147d5d47dea23f7f834331e0d00fc6c22d
Instruction ID: 73624924707184cdf360c3704b0622ae999bd3ba329219284d3ee96301d52486
Opcode Fuzzy Hash: 8278a529b8511cd5b4d8d439836626147d5d47dea23f7f834331e0d00fc6c22d
Instruction Fuzzy Hash: 6141F172A00200AFCB20DF79CA90A6EB7A1EF98314B1581ABE605EB351D675AD01DB84

Function 004B912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004B9141
ScreenToClient.USER32(00000000,?), ref: 004B915E
GetAsyncKeyState.USER32(00000001), ref: 004B9183
GetAsyncKeyState.USER32(00000002), ref: 004B919D

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d7de96cefd6a2ca4caf2f3af7438b1459ea497de69199326e38686625a011cb5
Instruction ID: 44a3687bc63bb7d2c6213aeb26a0ee827d1b0b6934370cdc3a48f9d94b03f076
Opcode Fuzzy Hash: d7de96cefd6a2ca4caf2f3af7438b1459ea497de69199326e38686625a011cb5
Instruction Fuzzy Hash: 86416E3190850ABBDF059F68C848BFEBB74FF05324F20821AE525A6390C7385D54DBA5

Function 00513874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00513922
TranslateMessage.USER32(?), ref: 0051394B
DispatchMessageW.USER32(?), ref: 00513955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00513966

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: cc5be42a307d35be0a530c1148c284ddff06b1534c267c8b54b782476b8967d7
Instruction ID: 72f8197354708105b4dd258720084311bd6b05febb8f12e5544e74e66b0ef517
Opcode Fuzzy Hash: cc5be42a307d35be0a530c1148c284ddff06b1534c267c8b54b782476b8967d7
Instruction Fuzzy Hash: 6C31D770504741AEFB35CF34A869FF63FA8FB25304F04096DE466961A0E3B496C9EB51

Function 0051CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0051C21E,00000000), ref: 0051CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0051CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0051C21E,00000000), ref: 0051CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0051C21E,00000000), ref: 0051CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0051C21E,00000000), ref: 0051CFF2

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 4158f31f6850744da6ab16e0d5d0580b167a278aa92a3e97306c4a3f77dee4d0
Instruction ID: 302d35c1f7ed2fc26905cbef6dc9018905298bea0f4ce799f378b830770e7116
Opcode Fuzzy Hash: 4158f31f6850744da6ab16e0d5d0580b167a278aa92a3e97306c4a3f77dee4d0
Instruction Fuzzy Hash: 52314C71540205AFEB20DFA5C884AEBBFF9FB14354B10442EF516E2241EB35EE86DB60

Function 00501901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00501915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005019E2

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7f8a26ec0c9f414a0d8a8bdf9413fe42b743a0997cddbf17f5e9b7c4e986b584
Instruction ID: cd2151c67f36e2aa164911053bd805ac140f566802e90625e2e5d8c7a085025e
Opcode Fuzzy Hash: 7f8a26ec0c9f414a0d8a8bdf9413fe42b743a0997cddbf17f5e9b7c4e986b584
Instruction Fuzzy Hash: 5231AB72A00619EFCB00CFA8C999AEE3FB5FB55315F104629F921AB2D1C7709944DB91

Function 00535706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00535745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0053579D
_wcslen.LIBCMT ref: 005357AF
_wcslen.LIBCMT ref: 005357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00535816

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 7094e2a78ffee37e319e9523237455d1a73c388a1b9c22dab153c0111b8de7e4
Instruction ID: c608c11c651eaab8b756a8c8aff042b781a7a1a1713aabf17f3d3da0e7064178
Opcode Fuzzy Hash: 7094e2a78ffee37e319e9523237455d1a73c388a1b9c22dab153c0111b8de7e4
Instruction Fuzzy Hash: E421B475904618DADF208FA4DC85AEE7FB8FF54324F109616F929EB280E7708A85CF50

Function 00520930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00520951
GetForegroundWindow.USER32 ref: 00520968
GetDC.USER32(00000000), ref: 005209A4
GetPixel.GDI32(00000000,?,00000003), ref: 005209B0
ReleaseDC.USER32(00000000,00000003), ref: 005209E8

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ca4bdc9edf7db7880115061acc8d2ec738cd1eb3058cda3d979ab87f0a0aa99e
Instruction ID: f8504a9b7c69b31bf5fbf68aadf519302762f82a71f697fbe1eebb53fde82fbc
Opcode Fuzzy Hash: ca4bdc9edf7db7880115061acc8d2ec738cd1eb3058cda3d979ab87f0a0aa99e
Instruction Fuzzy Hash: 3A219235600214AFD704EF69D889A9EBFE9FF55704F04806DE846A77A2CB30EC44DB50

Function 004DCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004DCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004DCDE9

Part of subcall function 004D3820: RtlAllocateHeap.NTDLL(00000000,?,00571444,?,004BFDF5,?,?,004AA976,00000010,00571440,004A13FC,?,004A13C6,?,004A1129), ref: 004D3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004DCE0F
_free.LIBCMT ref: 004DCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004DCE31

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 51c9930ebc4d2ebdc1bf504d1d5c1ce44a23723169e9d13d3d9a65e409eee7a9
Instruction ID: 1f347b65c043104c556d92dbb09e32f9ec8e9e622d886afd85ebe7e4e030651a
Opcode Fuzzy Hash: 51c9930ebc4d2ebdc1bf504d1d5c1ce44a23723169e9d13d3d9a65e409eee7a9
Instruction Fuzzy Hash: E801D8B26012167F272116BB6CD8D7BBE6DDEC6BA1315012FF905D7300DA688D01E2B8

Function 004B9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004B9693
SelectObject.GDI32(?,00000000), ref: 004B96A2
BeginPath.GDI32(?), ref: 004B96B9
SelectObject.GDI32(?,00000000), ref: 004B96E2

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 59357b07dc6a9a93b7f5cd925db798d35fd38e81bc3b11231a92d99b680ff21f
Instruction ID: 900595c293c3dde660d2266b34033597605224f22292ad039bc82859a20f491e
Opcode Fuzzy Hash: 59357b07dc6a9a93b7f5cd925db798d35fd38e81bc3b11231a92d99b680ff21f
Instruction Fuzzy Hash: 14216031801609EFDB119F68EC197EA7BA4BB20315F100216F614A62A0D3785C9AFBAC

Function 00505711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00505726
_memcmp.LIBVCRUNTIME ref: 00505744
_memcmp.LIBVCRUNTIME ref: 00505757
_memcmp.LIBVCRUNTIME ref: 0050576F
_memcmp.LIBVCRUNTIME ref: 00505787

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: be35defa462cff15f14e53220a40ea779808354600c74c13867cb7b23414113b
Instruction ID: 5597f931321d24283a1b0f6337ebff991f55aba7de74a98ea82d2db5c3f27203
Opcode Fuzzy Hash: be35defa462cff15f14e53220a40ea779808354600c74c13867cb7b23414113b
Instruction Fuzzy Hash: A301F5A5681609BBE71851119E82FBF7B4CFF223DCF000029FE049A6D2F724ED109BA5

Function 004D2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,004CF2DE,004D3863,00571444,?,004BFDF5,?,?,004AA976,00000010,00571440,004A13FC,?,004A13C6), ref: 004D2DFD
_free.LIBCMT ref: 004D2E32
_free.LIBCMT ref: 004D2E59
SetLastError.KERNEL32(00000000,004A1129), ref: 004D2E66
SetLastError.KERNEL32(00000000,004A1129), ref: 004D2E6F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 05379d2809ef9f9537c1598ab47dbaf6ba497e34363a2a3093be285155ce257f
Instruction ID: 85f5a68adde4843e24fc77e1bc117ef09d159e6b2df23745c4fdea625e817f7e
Opcode Fuzzy Hash: 05379d2809ef9f9537c1598ab47dbaf6ba497e34363a2a3093be285155ce257f
Instruction Fuzzy Hash: 53017D726006006BC61227366E65D2B2B5DABF13BA720042FF424E33D2EFFCCC056129

Function 0050000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004FFF41,80070057,?,?,?,0050035E), ref: 0050002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004FFF41,80070057,?,?), ref: 00500046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004FFF41,80070057,?,?), ref: 00500054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004FFF41,80070057,?), ref: 00500064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004FFF41,80070057,?,?), ref: 00500070

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 4572ddb1c256ba616e40744fa48ca91d37cae0781fb0e014c61942aefe6f9ba0
Instruction ID: 2a4efca5337a25b900daebad65bbb9f78a63b178c0c89f5cf2456f5745d12bbd
Opcode Fuzzy Hash: 4572ddb1c256ba616e40744fa48ca91d37cae0781fb0e014c61942aefe6f9ba0
Instruction Fuzzy Hash: 3F018F76600204BFDB104F69DC0CBAEBEADFB44751F145124F905E2290DB71DE44ABA0

Function 0050E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0050E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0050E9A5
Sleep.KERNEL32(00000000), ref: 0050E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0050E9B7
Sleep.KERNEL32 ref: 0050E9F3

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 83e641925176222bd9b8262553053b5b1c53dbe9cbd0b5f0f5924d7bb32ef9c7
Instruction ID: 3da9d9d9866f507d54a897f9fa2fde30de0e93fc4f1236b8dcc9ba92477a9e7b
Opcode Fuzzy Hash: 83e641925176222bd9b8262553053b5b1c53dbe9cbd0b5f0f5924d7bb32ef9c7
Instruction Fuzzy Hash: DA015731C01629DBCF00ABE5D95AAEDBF78BB18301F100946E502B2291CB309658EBA1

Function 005010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00501114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00500B9B,?,?,?), ref: 00501120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00500B9B,?,?,?), ref: 0050112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00500B9B,?,?,?), ref: 00501136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0050114D

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 82d6765795fc646808c660579ab0fa94437c6ef80c7ece88750b4ac07b156caf
Instruction ID: ed55c61409f936e0ae8b71c258e5478d25f48919500c578e03f84f9269883d30
Opcode Fuzzy Hash: 82d6765795fc646808c660579ab0fa94437c6ef80c7ece88750b4ac07b156caf
Instruction Fuzzy Hash: 8B011975200615BFDB154FA5DC49A6A3F6EFF893A0B204419FA45E73A0DA31DC04EB60

Function 00500FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00500FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00500FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00500FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00500FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00501002

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d96a8a6a1a866f946ca0cebf37b4ca3e89b04a336045a7a78f27628c3e2d59a3
Instruction ID: 35fde62185e266233b4bcadb5e659d8ab3180b737910b6a66f753361f1208a1c
Opcode Fuzzy Hash: d96a8a6a1a866f946ca0cebf37b4ca3e89b04a336045a7a78f27628c3e2d59a3
Instruction Fuzzy Hash: AAF04935200701ABDB224FA59C4DF5A3FADFF99762F104414FA85E7391DA70DC54AB60

Function 00501014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0050102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00501036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00501045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0050104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00501062

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 55b55a2fd34d6c5afbc79c08d3612e7c800f674615d8e23a34852e27215766f7
Instruction ID: 806e8aa3838f74d13105c10fdce562bae60724bed2d9d905174aaa64767a0242
Opcode Fuzzy Hash: 55b55a2fd34d6c5afbc79c08d3612e7c800f674615d8e23a34852e27215766f7
Instruction Fuzzy Hash: 77F04935200701ABDB215FA6EC5DF5A3FADFF99761F100414FA85E7390CA70D854AB60

Function 0051030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0051017D,?,005132FC,?,00000001,004E2592,?), ref: 00510324
CloseHandle.KERNEL32(?,?,?,?,0051017D,?,005132FC,?,00000001,004E2592,?), ref: 00510331
CloseHandle.KERNEL32(?,?,?,?,0051017D,?,005132FC,?,00000001,004E2592,?), ref: 0051033E
CloseHandle.KERNEL32(?,?,?,?,0051017D,?,005132FC,?,00000001,004E2592,?), ref: 0051034B
CloseHandle.KERNEL32(?,?,?,?,0051017D,?,005132FC,?,00000001,004E2592,?), ref: 00510358
CloseHandle.KERNEL32(?,?,?,?,0051017D,?,005132FC,?,00000001,004E2592,?), ref: 00510365

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f523c33a0e2e4d3bcdeda4be8dc80eac9a6586cb9594614bb726307828efa4c8
Instruction ID: 3a1da09ee6cf4471f92bf7bf26bb5d326d8cb1bb3a379996a25451fa1332d864
Opcode Fuzzy Hash: f523c33a0e2e4d3bcdeda4be8dc80eac9a6586cb9594614bb726307828efa4c8
Instruction Fuzzy Hash: AC01EE72800B018FDB30AF66D880842FBF9BF603053049E3FD1A252970C3B0A999DF80

Function 004DD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004DD752

Part of subcall function 004D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004DD7D1,00000000,00000000,00000000,00000000,?,004DD7F8,00000000,00000007,00000000,?,004DDBF5,00000000), ref: 004D29DE
Part of subcall function 004D29C8: GetLastError.KERNEL32(00000000,?,004DD7D1,00000000,00000000,00000000,00000000,?,004DD7F8,00000000,00000007,00000000,?,004DDBF5,00000000,00000000), ref: 004D29F0

_free.LIBCMT ref: 004DD764
_free.LIBCMT ref: 004DD776
_free.LIBCMT ref: 004DD788
_free.LIBCMT ref: 004DD79A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 397f8c71c66650d8342054bd906db316f57ae4f501e1b16e2cec890808008fc0
Instruction ID: bdfa8ef44a19b3842e31d249ff9ffa21381d00260226b1c7294e1c492359a58e
Opcode Fuzzy Hash: 397f8c71c66650d8342054bd906db316f57ae4f501e1b16e2cec890808008fc0
Instruction Fuzzy Hash: C1F068B2A402046B8631EB59FAE5C177BDDBB54310B94084BF059D7702C778FC405668

Function 00505C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00505C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00505C6F
MessageBeep.USER32(00000000), ref: 00505C87
KillTimer.USER32(?,0000040A), ref: 00505CA3
EndDialog.USER32(?,00000001), ref: 00505CBD

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d8b232672574d8ff4bf1ab540f27aca8870a72f097cb7dfa52f77abb8b72b51a
Instruction ID: 943addd37f4ce1b1b9149d4b2d15fe3516be17a6d49e1b0225e0159e02bf69e2
Opcode Fuzzy Hash: d8b232672574d8ff4bf1ab540f27aca8870a72f097cb7dfa52f77abb8b72b51a
Instruction Fuzzy Hash: 30011D31500B04ABFB215B14DE4FFAA7FB8BB14B05F041559A583B15E1EBF4AD889F90

Function 004D22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004D22BE

Part of subcall function 004D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004DD7D1,00000000,00000000,00000000,00000000,?,004DD7F8,00000000,00000007,00000000,?,004DDBF5,00000000), ref: 004D29DE
Part of subcall function 004D29C8: GetLastError.KERNEL32(00000000,?,004DD7D1,00000000,00000000,00000000,00000000,?,004DD7F8,00000000,00000007,00000000,?,004DDBF5,00000000,00000000), ref: 004D29F0

_free.LIBCMT ref: 004D22D0
_free.LIBCMT ref: 004D22E3
_free.LIBCMT ref: 004D22F4
_free.LIBCMT ref: 004D2305

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3f88d405b040507c24fb3a3d41b49908f59535974696edec5c205b802ee1e01a
Instruction ID: b552ea2180cbec275c4b7b912fc92a2d4d3d8acd2c2402edac7b2abde70d6bab
Opcode Fuzzy Hash: 3f88d405b040507c24fb3a3d41b49908f59535974696edec5c205b802ee1e01a
Instruction Fuzzy Hash: 90F030F85005108B8622AF69BD218193FA4B739750700158BF418D33B2CBB80499BBAC

Function 004B95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004B95D4
StrokeAndFillPath.GDI32(?,?,004F71F7,00000000,?,?,?), ref: 004B95F0
SelectObject.GDI32(?,00000000), ref: 004B9603
DeleteObject.GDI32 ref: 004B9616
StrokePath.GDI32(?), ref: 004B9631

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 306c0f34dd7a38b0698da7e48d5a711e47ed33bfd5d619047f3ac3c14b89a516
Instruction ID: 61e18f95751a19781432b5bd713162ceadf0d077cd7b7619216c0587e1120c20
Opcode Fuzzy Hash: 306c0f34dd7a38b0698da7e48d5a711e47ed33bfd5d619047f3ac3c14b89a516
Instruction Fuzzy Hash: F6F03131005644EBDB265F59FD1C7A93F61A720322F048215F619652F0C734499AFF28

Function 004D0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004D10F9
__freea.LIBCMT ref: 004D1117

Part of subcall function 004D1537: _free.LIBCMT ref: 004D154F

Strings

a/p, xrefs: 004D11DE
am/pm, xrefs: 004D117A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 591436bf7b1ead1b77389bf3439b6eee8c5d050d180d00cdac861c492e1e1359
Instruction ID: 7829ae3e262b7677979b964a721e474b375fc504f10e1e6dbba51c54b20d54b7
Opcode Fuzzy Hash: 591436bf7b1ead1b77389bf3439b6eee8c5d050d180d00cdac861c492e1e1359
Instruction Fuzzy Hash: 04D1D335900205EAEB299F68C865BBFB7B1EF06300F24415BED01ABB61D37D9D81CB59

Function 005261D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 004C0242: EnterCriticalSection.KERNEL32(0057070C,00571884,?,?,004B198B,00572518,?,?,?,004A12F9,00000000), ref: 004C024D
Part of subcall function 004C0242: LeaveCriticalSection.KERNEL32(0057070C,?,004B198B,00572518,?,?,?,004A12F9,00000000), ref: 004C028A

Part of subcall function 004C00A3: __onexit.LIBCMT ref: 004C00A9

__Init_thread_footer.LIBCMT ref: 00526238

Part of subcall function 004C01F8: EnterCriticalSection.KERNEL32(0057070C,?,?,004B8747,00572514), ref: 004C0202
Part of subcall function 004C01F8: LeaveCriticalSection.KERNEL32(0057070C,?,004B8747,00572514), ref: 004C0235

Part of subcall function 0051359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005135E4
Part of subcall function 0051359C: LoadStringW.USER32(00572390,?,00000FFF,?), ref: 0051360A

Strings

x#W, xrefs: 0052633A
x#W, xrefs: 0052636F
x#W, xrefs: 00526353

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#W$x#W$x#W
API String ID: 1072379062-177975842
Opcode ID: e367aca856a8ee74c7e5822dff4a95dec5cf5f9f4ad3d42b87fc58185b9156d0
Instruction ID: e8fe29ebde2eba31f24a0c40df9f8b1d4d038f111b2c7e78bb2912e43c536769
Opcode Fuzzy Hash: e367aca856a8ee74c7e5822dff4a95dec5cf5f9f4ad3d42b87fc58185b9156d0
Instruction Fuzzy Hash: F8C18C71A00115AFCB14EF58D890EBEBBB9FF59300F10846AF945AB291DB74ED45CBA0

Function 004D5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOJ, xrefs: 004D5BA8, 004D5C6C

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID: JOJ
API String ID: 0-1671703104
Opcode ID: 10cb7a235458f99482229239ad99107f1e03f4c13942c2a951c27e57e54a586a
Instruction ID: 0851f5559cae9c59621fcd6269306dd900ee53fe625c7c230792fba1db333b9d
Opcode Fuzzy Hash: 10cb7a235458f99482229239ad99107f1e03f4c13942c2a951c27e57e54a586a
Instruction Fuzzy Hash: F1510E75D10609AFCB209FA9C865FAFBBB8AF05314F10005FF404A7391DA7D9902DB6A

Function 004D8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 004D8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 004D8B7A
__dosmaperr.LIBCMT ref: 004D8B81

Strings

.L, xrefs: 004D8A63

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .L
API String ID: 2434981716-3603714933
Opcode ID: b11d1288e111b4b7f0cb58a01c8eeafcb61b3f2523b862388bcd44b24403f3f3
Instruction ID: f705f8de240f893f00e316c66d7ac12746a8ff5b57d0ba79aee0f0411a468182
Opcode Fuzzy Hash: b11d1288e111b4b7f0cb58a01c8eeafcb61b3f2523b862388bcd44b24403f3f3
Instruction Fuzzy Hash: EB416E74604185AFDB259F28DCA0A7E7FE5DB86304F2841AFF88587342DE39DC02A758

Function 00502716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0050B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005021D0,?,?,00000034,00000800,?,00000034), ref: 0050B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00502760

Part of subcall function 0050B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0050B3F8

Part of subcall function 0050B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0050B355
Part of subcall function 0050B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00502194,00000034,?,?,00001004,00000000,00000000), ref: 0050B365
Part of subcall function 0050B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00502194,00000034,?,?,00001004,00000000,00000000), ref: 0050B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0050281A

Strings

@, xrefs: 00502832

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d07da12a62946fbd84bd996b373b3d7ee89370b57a882f8190d695230b16f855
Instruction ID: d0a7dbc24008c70e583f30f0e2fa1e66ec0b627f51d411f5aadf39c642e2cb93
Opcode Fuzzy Hash: d07da12a62946fbd84bd996b373b3d7ee89370b57a882f8190d695230b16f855
Instruction Fuzzy Hash: 3D414E76900219AFDB10DFA4CD86AEEBBB8FF49300F108059FA55B7191DB706E45CBA0

Function 004D172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 004D1769
_free.LIBCMT ref: 004D1834
_free.LIBCMT ref: 004D183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 004D1760, 004D1767, 004D1796, 004D17CE

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: 3b750918483f51c30d36e65d96f8124540b34034e2775967484186f50bcc9699
Instruction ID: 75ca5b3c558207cf6efa8647c92e58b4f7f268def70b5063f935c104275a356d
Opcode Fuzzy Hash: 3b750918483f51c30d36e65d96f8124540b34034e2775967484186f50bcc9699
Instruction Fuzzy Hash: D33182B5A00218BFDB21DB9AD895D9FBBFCEB95310B1041ABF804D7321D6744E44EB98

Function 0050C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0050C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0050C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00571990,00DD5D88), ref: 0050C395

Strings

0, xrefs: 0050C2DF

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 3c9ed2c0372c0d837f300fba970c6dac579a7d6f4e1861a201f12cf930bd3ba3
Instruction ID: 8ffbde03f868d368ce7a2d47c5af4f3fe25c93cda34d97a322d7804d8ac30ac5
Opcode Fuzzy Hash: 3c9ed2c0372c0d837f300fba970c6dac579a7d6f4e1861a201f12cf930bd3ba3
Instruction Fuzzy Hash: 59417C312043029FD720DF25D885B9EBFA4BB96324F148B1EF9A5972D1D770A904CB62

Function 00534416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0053CC08,00000000,?,?,?,?), ref: 005344AA
GetWindowLongW.USER32 ref: 005344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005344D7

Strings

SysTreeView32, xrefs: 0053447C

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: db8612c7913a32e830cb6530db190f77dd846293b2b949386fd12bf91d662bf7
Instruction ID: 394659fdac89857fd88d0c8b1e4727b51cbdb7b5fb6140844a96c6e697b7c45c
Opcode Fuzzy Hash: db8612c7913a32e830cb6530db190f77dd846293b2b949386fd12bf91d662bf7
Instruction Fuzzy Hash: 50319E32210605AFDF209E78DC45BEA7BA9FB09338F244729F975A22D0D774EC509B50

Function 00506E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00506EED
VariantCopyInd.OLEAUT32(?,?), ref: 00506F08
VariantClear.OLEAUT32(?), ref: 00506F12

Strings

*jP, xrefs: 00506E8B, 00506E90, 00506EF8

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jP
API String ID: 2173805711-1055049981
Opcode ID: 4ad6ae25dcd957293385b70ab56cffb497d70b05607e14d47abdaafc375f0100
Instruction ID: d5130c20d230c73aad919e09abca3aa8f2bce4b1afda7b175a050a4c7e21659c
Opcode Fuzzy Hash: 4ad6ae25dcd957293385b70ab56cffb497d70b05607e14d47abdaafc375f0100
Instruction Fuzzy Hash: 8D31C471604246DFCB04AFA5E8509BE3B76FF55708B1008ADF8024B2E2C7349961DBD4

Function 0052304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0052335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00523077,?,?), ref: 00523378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0052307A
_wcslen.LIBCMT ref: 0052309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00523106

Strings

255.255.255.255, xrefs: 00523095, 0052309A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 1bfffce1471e4011fe9413493f3f74e3c32b58b772b2e3b70bf11e67db068e9a
Instruction ID: 144fd9267943ddb584f6b6925a1c36920b86c1f44d9b92ead8792d012da5dde1
Opcode Fuzzy Hash: 1bfffce1471e4011fe9413493f3f74e3c32b58b772b2e3b70bf11e67db068e9a
Instruction Fuzzy Hash: 7D31C1392002219FC710CF68D485EA97BE0FF56318F248459E8158B3E2CB79DE45C760

Function 00534653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00534705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00534713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0053471A

Strings

msctls_updown32, xrefs: 00534684

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: edae5b30017e46834f2fd8f90f02128e03af4ed586f67d9db02c8896523508f7
Instruction ID: ee3b468214ff4f0ca733ca17afd0f85c0c2f83121cca870d01dac3a669eed37f
Opcode Fuzzy Hash: edae5b30017e46834f2fd8f90f02128e03af4ed586f67d9db02c8896523508f7
Instruction Fuzzy Hash: BF215EB5600209AFDB10DF68DCC1DA73BADFB5A398B040059FA059B291CB70FC52DA60

Function 005095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0050961D

Strings

#OnAutoItStartRegister, xrefs: 005095F3
#requireadmin, xrefs: 005095D9
#notrayicon, xrefs: 005095B7

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 9ec32544f138de1a8f30953775574a1d2aab59060c0056362610cfb37974897f
Instruction ID: bee065988c22f21db5bc1466b8d90af2d7f5e80b90a3b4b5ef8a44bf35b9049d
Opcode Fuzzy Hash: 9ec32544f138de1a8f30953775574a1d2aab59060c0056362610cfb37974897f
Instruction Fuzzy Hash: 0021387210451166C331AA269C12FBF7B98BFA5314F10442EF949970C6EB56AD41C3D9

Function 005337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00533840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00533850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00533876

Strings

Listbox, xrefs: 0053380F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 73dd7153766c4e7871387ae569efd44b1815fffd5a92c7c2140af0d3be9f8212
Instruction ID: 3b9bcce0ae609db51587e3c57d386b4c226d43a2203c6946b74eaf0801e21657
Opcode Fuzzy Hash: 73dd7153766c4e7871387ae569efd44b1815fffd5a92c7c2140af0d3be9f8212
Instruction Fuzzy Hash: 6521D172610218BBEF218F64DC85FBB3B6EFF99764F118124F904AB190C671DD5287A0

Function 005149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00514A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00514A5C
SetErrorMode.KERNEL32(00000000,?,?,0053CC08), ref: 00514AD0

Strings

%lu, xrefs: 00514A6F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 97da4518d4f24a63e1b5e26655e2bd7c118506908621f0a7d77d072b8b0465e3
Instruction ID: 0c4b80c7415959aae5c4bc563a82a8d7c9f0bdea572a37db65c9a89a4b423d68
Opcode Fuzzy Hash: 97da4518d4f24a63e1b5e26655e2bd7c118506908621f0a7d77d072b8b0465e3
Instruction Fuzzy Hash: 1D317C75A00209AFDB10DF54C885EAA7BF8EF09308F1480A9F909EB352D775EE45CB61

Function 005341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0053424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00534264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00534271

Strings

msctls_trackbar32, xrefs: 00534226

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3c06d88bf084e78f939fba4bbafc171ff56b14cbbec6e3b5330f4f41d253bdc9
Instruction ID: 8cfc82df176dc240bb533fdd9bd6a9e68bab3b2fd2c8c84c37f191f08fb6503d
Opcode Fuzzy Hash: 3c06d88bf084e78f939fba4bbafc171ff56b14cbbec6e3b5330f4f41d253bdc9
Instruction Fuzzy Hash: EF11A331240248BEEF215E69CC06FAB3FACFF95B54F110514FA55E61A0D671EC519B24

Function 00502F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A6B57: _wcslen.LIBCMT ref: 004A6B6A

Part of subcall function 00502DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00502DC5
Part of subcall function 00502DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00502DD6
Part of subcall function 00502DA7: GetCurrentThreadId.KERNEL32 ref: 00502DDD
Part of subcall function 00502DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00502DE4

GetFocus.USER32 ref: 00502F78

Part of subcall function 00502DEE: GetParent.USER32(00000000), ref: 00502DF9

GetClassNameW.USER32(?,?,00000100), ref: 00502FC3
EnumChildWindows.USER32(?,0050303B), ref: 00502FEB

Strings

%s%d, xrefs: 00502FFF

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 1da5a6a2ac9263c55e4073a7aaddd05d2d38ca130dee9e98965f5d642ced2fae
Instruction ID: cb8903da10898fd870168944d5e03a852d0e2df699321f44384519279df7c380
Opcode Fuzzy Hash: 1da5a6a2ac9263c55e4073a7aaddd05d2d38ca130dee9e98965f5d642ced2fae
Instruction Fuzzy Hash: A611A5716002056BCF15BF648C9AEED7B6ABF94304F044079B909AB292DE349D499B70

Function 00535882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005358EE
DrawMenuBar.USER32(?), ref: 005358FD

Strings

0, xrefs: 0053588F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 983a36c3c0126da3cd2d7cb52f4bbd6fc4b37d89c5ee694744df4e57a34a626c
Instruction ID: 21910b7791c00ad88241909f7f7295739d6b3204b8f19a94b64bfa3bf2a9cd73
Opcode Fuzzy Hash: 983a36c3c0126da3cd2d7cb52f4bbd6fc4b37d89c5ee694744df4e57a34a626c
Instruction Fuzzy Hash: FE011B32500218EEDB219F21DC45BAEBFB5FB45365F10849AF849D6251EB348A98EF31

Function 004FD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 004FD3BF
FreeLibrary.KERNEL32 ref: 004FD3E5

Strings

X64, xrefs: 004FD2A8
GetSystemWow64DirectoryW, xrefs: 004FD3B9

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 4743174aa4035f1cf6aab95e2ffbf55300d5b73cc3349c1233fdf30635d3d3ca
Instruction ID: c2fa362edce52029f89a0e8cd886d8a8096247b1cc21023ad3e1710442f7cdd6
Opcode Fuzzy Hash: 4743174aa4035f1cf6aab95e2ffbf55300d5b73cc3349c1233fdf30635d3d3ca
Instruction Fuzzy Hash: 37F02022C05A289AE73112108C549BA3B55AF10B01B568597AB02F6308D72CCC49A3EF

Function 0050007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35215f246a90a02ce8f913828d65cafccc0d6baf5ba098faac38dc2d06c2c3b1
Instruction ID: e89c3e89b6fb86f1c4a389585ab5b495e7ca3ce52cecd2459c6b911e4ddbe6ad
Opcode Fuzzy Hash: 35215f246a90a02ce8f913828d65cafccc0d6baf5ba098faac38dc2d06c2c3b1
Instruction Fuzzy Hash: C8C14975A0020AEFCB15CFA4C894BAEBBB5FF48314F249598E505EB291D731EE41DB90

Function 0052342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00523459
CoUninitialize.OLE32 ref: 00523463
VariantInit.OLEAUT32(?), ref: 0052346E
VariantClear.OLEAUT32(?), ref: 0052371B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: a771ed0164971b4a507304502a417dcbf03c42f0e32c9853669e3f3d88b0b702
Instruction ID: 1b770eb7f51f99316e806ef49c4e06a57318da367d1d7c3e68477546f8792f7f
Opcode Fuzzy Hash: a771ed0164971b4a507304502a417dcbf03c42f0e32c9853669e3f3d88b0b702
Instruction Fuzzy Hash: B0A180756043109FC710EF25D485A2ABBE5FF89318F04885DF98A9B3A2DB34EE05CB95

Function 00500436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0053FC08,?), ref: 005005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0053FC08,?), ref: 00500608
CLSIDFromProgID.OLE32(?,?,00000000,0053CC40,000000FF,?,00000000,00000800,00000000,?,0053FC08,?), ref: 0050062D
_memcmp.LIBVCRUNTIME ref: 0050064E

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 86402a2162c00e796d8544b0b74d7f6e759120f2bb6931cb918a8a405fbc208d
Instruction ID: 409e4e0d44475b3c05c18f3e2b5547037faae0cadd345e344387deb875362659
Opcode Fuzzy Hash: 86402a2162c00e796d8544b0b74d7f6e759120f2bb6931cb918a8a405fbc208d
Instruction Fuzzy Hash: 6981EC75A00109EFCB04DF94C984EEEBBB9FF89315F204559E516AB290DB71AE06CF60

Function 0052A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0052A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0052A6BA

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0052A79C
CloseHandle.KERNEL32(00000000), ref: 0052A7AB

Part of subcall function 004BCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,004E3303,?), ref: 004BCE8A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 605bfcde2670ba65dedc4cfaadb0f27444ffc4b9f74595518798d61acc401bf0
Instruction ID: dfe1933f9c9d653597d00918e19aeb3720d73a46dd31cc78c327e17eed343ac5
Opcode Fuzzy Hash: 605bfcde2670ba65dedc4cfaadb0f27444ffc4b9f74595518798d61acc401bf0
Instruction Fuzzy Hash: F051B0715083109FD310EF25C886E6BBBE8FF9A748F00491EF58597291EB34E904CBA6

Function 004E1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004E14C0

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1d8ff6cc5867824e5dc56658fb044d6b4588aa14828be525d52e0843b354e3d8
Instruction ID: ea62cb21c18bb1177270362ed8e5f87fdf0252d8fe153650001eacb5cfa24a05
Opcode Fuzzy Hash: 1d8ff6cc5867824e5dc56658fb044d6b4588aa14828be525d52e0843b354e3d8
Instruction Fuzzy Hash: 62415E356805806BDB256BBB8C45FBF3AA5EF41379F14026FF418D23E2E63C4841936A

Function 00536278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005362E2
ScreenToClient.USER32(?,?), ref: 00536315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00536382

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: eb1be309f85b1020f69d8e5585ef6cc048ebdbb9308d28216a73a70b71549794
Instruction ID: c8b61914f82661b57c8ad3913908e63df71a8dff3df0794711d4d5dcfd0d998e
Opcode Fuzzy Hash: eb1be309f85b1020f69d8e5585ef6cc048ebdbb9308d28216a73a70b71549794
Instruction Fuzzy Hash: 1B513975A00209AFCF10DF68D880AAE7FB5FB55360F10856DF9159B2A0D730ED81DB90

Function 00521AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00521AFD
WSAGetLastError.WSOCK32 ref: 00521B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00521B8A
WSAGetLastError.WSOCK32 ref: 00521B94

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 34d69ec2b3dccef979b4344cecc63523174165e09590e47d5c5b1a83ad42ff28
Instruction ID: ebe9dcf57304c920f4bd48412dc56fff0c5910e03d83efda9d836697e81f9f76
Opcode Fuzzy Hash: 34d69ec2b3dccef979b4344cecc63523174165e09590e47d5c5b1a83ad42ff28
Instruction Fuzzy Hash: 9E41F034600200AFE720AF21D886F2A7BE5AF56708F54848DF91A9F3D3D776ED418B94

Function 004DB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce307d3892eef9d1f2e6a80f4b3498c51da49a607ce571225c248175c6cdcf4
Instruction ID: 57727fa914632972a47061e376e11aa195fdd5956f857357dafdf862e3916aff
Opcode Fuzzy Hash: fce307d3892eef9d1f2e6a80f4b3498c51da49a607ce571225c248175c6cdcf4
Instruction Fuzzy Hash: B141F175A00204FFD724DF39C852BAABBA9EB88718F11452FF141DB392D779A90187D4

Function 005156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00515783
GetLastError.KERNEL32(?,00000000), ref: 005157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005157FA

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: bd1f1505fb528b2f637adee5c0db21068975fb19bab08e7058a857f911d1375c
Instruction ID: 20814a834f0ecf944f7f6e97b20a76f8fc999f4eadec58a2988fac431a56607c
Opcode Fuzzy Hash: bd1f1505fb528b2f637adee5c0db21068975fb19bab08e7058a857f911d1375c
Instruction Fuzzy Hash: FD412F39600610DFCB11EF15C485A5EBBE2FF99354B188489E84A6B362DB34FD40CB95

Function 004DD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,004C6D71,00000000,00000000,004C82D9,?,004C82D9,?,00000001,004C6D71,?,00000001,004C82D9,004C82D9), ref: 004DD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004DD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004DD9AB
__freea.LIBCMT ref: 004DD9B4

Part of subcall function 004D3820: RtlAllocateHeap.NTDLL(00000000,?,00571444,?,004BFDF5,?,?,004AA976,00000010,00571440,004A13FC,?,004A13C6,?,004A1129), ref: 004D3852

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 56346ac989b57a09a0185688e3e1d8d62a3b5afa2de9ec736189c60dc5b21522
Instruction ID: 0071ffddcf5bd38bedc959ed6941b4d20a34c574f891010dfbbfcaf9800acf43
Opcode Fuzzy Hash: 56346ac989b57a09a0185688e3e1d8d62a3b5afa2de9ec736189c60dc5b21522
Instruction Fuzzy Hash: AF31B1B2A00206ABDB25DF65DCA5EAF7BA5EF40310F05016AFC0496350D73ADD54DB94

Function 005352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00535352
GetWindowLongW.USER32(?,000000F0), ref: 00535375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00535382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005353A8

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 8ed777d331ef215ce77cb2599a87524a64de49bdfa50c36232be24cf2aeded66
Instruction ID: 911be1609558ff520bad72b70336496fc0def7cef410455e4eb1f9aeb28e8d2a
Opcode Fuzzy Hash: 8ed777d331ef215ce77cb2599a87524a64de49bdfa50c36232be24cf2aeded66
Instruction Fuzzy Hash: 6631C434A55A08EFEB309E18CC06BE83F65FB04390F986D01FA11962E1E7B09D84EB41

Function 0050AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0050ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0050AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0050AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0050ACC6

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e0c7272df49053a0d02ed031d9d22b9971d62ec6afbce9cb0102052acc2a3620
Instruction ID: 83fb0b828e17a3ddadf2c76c723b2cc364718f84d6f85c12292446aabe9fa4ac
Opcode Fuzzy Hash: e0c7272df49053a0d02ed031d9d22b9971d62ec6afbce9cb0102052acc2a3620
Instruction Fuzzy Hash: 1131F030A04718AFFF358B698C09BFE7FA5BB89310F09461AF485962D1C3758D8597A2

Function 00537674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0053769A
GetWindowRect.USER32(?,?), ref: 00537710
PtInRect.USER32(?,?,00538B89), ref: 00537720
MessageBeep.USER32(00000000), ref: 0053778C

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c8e57fe9c410f2fce48c1e9afdc47ca44f934c426a402e70c90e65b2f6e3728c
Instruction ID: 9e60822a3edaeea31a605c3c334926e61175ba9022817f1a318e162bf41b8471
Opcode Fuzzy Hash: c8e57fe9c410f2fce48c1e9afdc47ca44f934c426a402e70c90e65b2f6e3728c
Instruction Fuzzy Hash: 9A41ADB4A05619EFCB22CF58D895EA97FF4FB5D310F1440A8E5149B261C330A946EF90

Function 005316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005316EB

Part of subcall function 00503A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00503A57
Part of subcall function 00503A3D: GetCurrentThreadId.KERNEL32 ref: 00503A5E
Part of subcall function 00503A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005025B3), ref: 00503A65

GetCaretPos.USER32(?), ref: 005316FF
ClientToScreen.USER32(00000000,?), ref: 0053174C
GetForegroundWindow.USER32 ref: 00531752

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 968cd0041dc1ef47243b7a8887ba42c5f5f9dfcd4b4baf6d154ebb72fd3b05f3
Instruction ID: 5c86db7ce7bce6ab5dc5f1dcbbde8dc0ec27fe19d6d8b9dac0d5f04a13d4b408
Opcode Fuzzy Hash: 968cd0041dc1ef47243b7a8887ba42c5f5f9dfcd4b4baf6d154ebb72fd3b05f3
Instruction Fuzzy Hash: CD316171D00109AFCB00DFAAC881CAEBBFDFF99308B5480AAE415E7251D7359E45CBA4

Function 00538FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004B9BB2

GetCursorPos.USER32(?), ref: 00539001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,004F7711,?,?,?,?,?), ref: 00539016
GetCursorPos.USER32(?), ref: 0053905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,004F7711,?,?,?), ref: 00539094

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 80054f07442dfe0bdbe3a19d3965eba1a325d4b26f4eb3527cd8052f644f8cb3
Instruction ID: 62e4672d7a9e61a0ade08e0df6ba826f8d411e9710edc8a2f53cce8054b1c11d
Opcode Fuzzy Hash: 80054f07442dfe0bdbe3a19d3965eba1a325d4b26f4eb3527cd8052f644f8cb3
Instruction Fuzzy Hash: C621BF75600118EFCB2A8F98C858EEA3FB9FB49350F004059F9059B261C3719D91EB60

Function 0050D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0053CB68), ref: 0050D2FB
GetLastError.KERNEL32 ref: 0050D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0050D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0053CB68), ref: 0050D376

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 4bf6590a0b3f724ace69e6d3fc6b392d9c9d4847ae9d6ebc456dbba41ecddf03
Instruction ID: 36b445601edea7447484be29c00e881c6f880bd946067dd958cb1832e916b513
Opcode Fuzzy Hash: 4bf6590a0b3f724ace69e6d3fc6b392d9c9d4847ae9d6ebc456dbba41ecddf03
Instruction Fuzzy Hash: 5A216D745053019FC700DF68C8814AEBBE4BF66368F504E1EF499932E1D7309949CBA3

Function 00501571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00501014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0050102A
Part of subcall function 00501014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00501036
Part of subcall function 00501014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00501045
Part of subcall function 00501014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0050104C
Part of subcall function 00501014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00501062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005015BE
_memcmp.LIBVCRUNTIME ref: 005015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00501617
HeapFree.KERNEL32(00000000), ref: 0050161E

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 99603668f733bfaf0ebb43b9cec084670b82309bdadf344f44683df2d36f4548
Instruction ID: 9535780f260234a4dcc9b3242a23c82be4151edfc8322f14bf63981f3b2c0862
Opcode Fuzzy Hash: 99603668f733bfaf0ebb43b9cec084670b82309bdadf344f44683df2d36f4548
Instruction Fuzzy Hash: A9217A31E00509AFDF14DFA4CD49BEEBBB8FF44344F084459E441AB281E731AA45DBA5

Function 00532782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0053280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00532824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00532832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00532840

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 50b6fc10afe786fc2cdead83912e6c414f6f17beab70892712e2945d33fc666d
Instruction ID: 37f52694ccbdf1f58e42f621a780404239adb42b978ffa6953af95a515d272b6
Opcode Fuzzy Hash: 50b6fc10afe786fc2cdead83912e6c414f6f17beab70892712e2945d33fc666d
Instruction Fuzzy Hash: 8F21D331204A11AFD7149B24C855FAABF95FF95328F148158F4268B6E2C775FC42CBD0

Function 005078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00508D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0050790A,?,000000FF,?,00508754,00000000,?,0000001C,?,?), ref: 00508D8C
Part of subcall function 00508D7D: lstrcpyW.KERNEL32(00000000,?,?,0050790A,?,000000FF,?,00508754,00000000,?,0000001C,?,?,00000000), ref: 00508DB2
Part of subcall function 00508D7D: lstrcmpiW.KERNEL32(00000000,?,0050790A,?,000000FF,?,00508754,00000000,?,0000001C,?,?), ref: 00508DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00508754,00000000,?,0000001C,?,?,00000000), ref: 00507923
lstrcpyW.KERNEL32(00000000,?,?,00508754,00000000,?,0000001C,?,?,00000000), ref: 00507949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00508754,00000000,?,0000001C,?,?,00000000), ref: 00507984

Strings

cdecl, xrefs: 0050797B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: f75e8165055ca11980831b6de14be1325ef581505ea91265f6cb68f8a99ffed4
Instruction ID: 0e5028924fadf0d42bbb7d319972fb1e9b1f0940e1d772d15f0f637e6a190571
Opcode Fuzzy Hash: f75e8165055ca11980831b6de14be1325ef581505ea91265f6cb68f8a99ffed4
Instruction Fuzzy Hash: AE11263A200306ABCB159F39CC45D7E7BA9FF99350B00442AF846C73A4EB31E811D7A1

Function 00537CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00537D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00537D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00537D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0051B7AD,00000000), ref: 00537D6B

Part of subcall function 004B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004B9BB2

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 8893418c2d98317008296d446c45f376b43984961f1cf7dbe0800ba5e10dcb09
Instruction ID: d4721d0a749f13d5ce11605056f3ec216589c7300eaba020fcfa57ee6365419a
Opcode Fuzzy Hash: 8893418c2d98317008296d446c45f376b43984961f1cf7dbe0800ba5e10dcb09
Instruction Fuzzy Hash: B911C071914658AFCB208F28DC04AA63FA4BF49360F118B24F939D72F0D7309D51EB90

Function 00535660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 005356BB
_wcslen.LIBCMT ref: 005356CD
_wcslen.LIBCMT ref: 005356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00535816

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: c8bd0ba32ff1f1f1f429507f3de9909c1c8552d11db67b28c1a0d2103f0b9607
Instruction ID: 87627f3cd24808e3499939ee08d636ea563296a2fde896be6a187d2175c5710d
Opcode Fuzzy Hash: c8bd0ba32ff1f1f1f429507f3de9909c1c8552d11db67b28c1a0d2103f0b9607
Instruction Fuzzy Hash: 6C110375A0061896DF20DF65DC86AEE7FACFF11764F10542AF905D6081FB70CA84CB64

Function 004D1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b20fdc12d678034c8a7528158a82e36287b78e442da74e11344ab5561b5ea5b
Instruction ID: 4e718b4a510c1aa01ffb6dabb560064a3219b7553502b100ab630a718f39a6f4
Opcode Fuzzy Hash: 4b20fdc12d678034c8a7528158a82e36287b78e442da74e11344ab5561b5ea5b
Instruction Fuzzy Hash: 1401A7F22056167EF61116797CE0F27665EDF513B8B30032BF921613E1DB689C40A178

Function 00501A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00501A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00501A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00501A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00501A8A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0505a26860a4b4bf9cc0d2fca7a8b6065912ad17420c377bc6b39624a6099fc9
Instruction ID: 5c9050c86210926bfaddd917c5918d8eb8e30c258163355c0ca4f736d888610e
Opcode Fuzzy Hash: 0505a26860a4b4bf9cc0d2fca7a8b6065912ad17420c377bc6b39624a6099fc9
Instruction Fuzzy Hash: F611F73AA01219FFEB119BA5CD85FADBB78FB08750F200091EA05B7290D6716E50DB98

Function 0050E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0050E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0050E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0050E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0050E24D

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 52712dc107d4ef8bec5781143975066b1967aff452545a83f6e4ff1ef66e0d68
Instruction ID: 9375d0840a278d7dba9735fa823610328cd58857a4e86e5b2317b8929cf2db32
Opcode Fuzzy Hash: 52712dc107d4ef8bec5781143975066b1967aff452545a83f6e4ff1ef66e0d68
Instruction Fuzzy Hash: 6E110876904215BBC7019BACAC0AA9E7FACEB55314F104A59F815E33D0D270C908A7A0

Function 004CD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,004CCFF9,00000000,00000004,00000000), ref: 004CD218
GetLastError.KERNEL32 ref: 004CD224
__dosmaperr.LIBCMT ref: 004CD22B
ResumeThread.KERNEL32(00000000), ref: 004CD249

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: e13d9ba6c6d03df9049ffb9a06ffaa6c25c69461bbf8ca8816a81b342b27a017
Instruction ID: 7edaba13e00780c20f2c6912c314f9765c4c2585327d3dec15a32ea2c10cac2e
Opcode Fuzzy Hash: e13d9ba6c6d03df9049ffb9a06ffaa6c25c69461bbf8ca8816a81b342b27a017
Instruction Fuzzy Hash: 0701003A804204BBCB605BA6DC09FAB7A69DF81334F20026FF824922D0CF79C805D7A5

Function 00539EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 004B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004B9BB2

GetClientRect.USER32(?,?), ref: 00539F31
GetCursorPos.USER32(?), ref: 00539F3B
ScreenToClient.USER32(?,?), ref: 00539F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00539F7A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f5eac412fe23ff69fc1d82abe6871d870baf720367e123778c6095b74b0df8cb
Instruction ID: 237ca7da02bcc62ea9fefbc10d0b9872efe2292e8a349ca8cbd02f8376c3602f
Opcode Fuzzy Hash: f5eac412fe23ff69fc1d82abe6871d870baf720367e123778c6095b74b0df8cb
Instruction Fuzzy Hash: B0117C7290011AABDB11EFA8D889DEE7FB8FF45311F004455F911E3140D770BA85DBA1

Function 004A600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004A604C
GetStockObject.GDI32(00000011), ref: 004A6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 004A606A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 1816f87bf356122aa34fc475a40812c4871c85832c50942e7b132493c823821f
Instruction ID: 90af7a53eb53190e864d3463ece474978b84ada24e5a812e3dda27c2b2e9643e
Opcode Fuzzy Hash: 1816f87bf356122aa34fc475a40812c4871c85832c50942e7b132493c823821f
Instruction Fuzzy Hash: 0811A1B2505508BFEF128FA49C44EEB7F69EF29354F050106FA1556210C7369CA0EBA4

Function 004C3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004C3B56

Part of subcall function 004C3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 004C3AD2
Part of subcall function 004C3AA3: ___AdjustPointer.LIBCMT ref: 004C3AED

_UnwindNestedFrames.LIBCMT ref: 004C3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 004C3B7C
CallCatchBlock.LIBVCRUNTIME ref: 004C3BA4

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 19e3afe62488ceb19499cc05b235c245ffa880d545d868d024781f7ca3ec4614
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 57016D36100148BBCF515E96CC42EEB3B7DEF88759F04801EFE0856121D33AE961DBA4

Function 004D3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004A13C6,00000000,00000000,?,004D301A,004A13C6,00000000,00000000,00000000,?,004D328B,00000006,FlsSetValue), ref: 004D30A5
GetLastError.KERNEL32(?,004D301A,004A13C6,00000000,00000000,00000000,?,004D328B,00000006,FlsSetValue,00542290,FlsSetValue,00000000,00000364,?,004D2E46), ref: 004D30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004D301A,004A13C6,00000000,00000000,00000000,?,004D328B,00000006,FlsSetValue,00542290,FlsSetValue,00000000), ref: 004D30BF

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ede8f12d4ab94acecfb608787ba16c8ae5596b8b79db46fc48054ef093b35268
Instruction ID: aabd4f019f2db490415ad5479a7d8cf0b8713db21b8e714a17bd3defb2c7a81f
Opcode Fuzzy Hash: ede8f12d4ab94acecfb608787ba16c8ae5596b8b79db46fc48054ef093b35268
Instruction Fuzzy Hash: 87012B36301222ABCB324F78AC549577B98AF15B62B140623F905F7384C725DD05D7E5

Function 00507464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0050747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00507497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005074CA

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 68d26274228116e844124a344b987ca9ee9ee2d5604897347b8039f2da25ec29
Instruction ID: 48234c1e96a0a0aff718f900612b3eb4f09aadaeffdbb9afe9a85f79cb6da3d6
Opcode Fuzzy Hash: 68d26274228116e844124a344b987ca9ee9ee2d5604897347b8039f2da25ec29
Instruction Fuzzy Hash: 001184B5A053199FEB208F54DC09F967FFCFB04B04F108569A666D6191D7B0F908EB60

Function 0050B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0050ACD3,?,00008000), ref: 0050B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0050ACD3,?,00008000), ref: 0050B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0050ACD3,?,00008000), ref: 0050B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0050ACD3,?,00008000), ref: 0050B126

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: da63d9e120fcfb803507ad5e1863d7a8d113b09f141306c907e52cf4edf962fe
Instruction ID: f43954de6ed977871fdc11bd1039072b9afcd2999233f230009bcb50271c57ab
Opcode Fuzzy Hash: da63d9e120fcfb803507ad5e1863d7a8d113b09f141306c907e52cf4edf962fe
Instruction Fuzzy Hash: AA116D31C0152CE7DF00AFE5E9A8AEEBF78FF59711F104486D941B2281CB305664EB91

Function 00537E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00537E33
ScreenToClient.USER32(?,?), ref: 00537E4B
ScreenToClient.USER32(?,?), ref: 00537E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00537E8A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: bcafbd35c1c5fac19cab14b9c1e1eb219d20a73bfeb457c398324f8b83d4e696
Instruction ID: c47d0e74caf13c2426efb11fb3dc69dac2bea70e6de85e29e794ce51fc1b2439
Opcode Fuzzy Hash: bcafbd35c1c5fac19cab14b9c1e1eb219d20a73bfeb457c398324f8b83d4e696
Instruction Fuzzy Hash: 601143B9D0020EAFDB51CFA8C8849EEBBF9FB18310F505056E915E2310D735AA54DF90

Function 00502DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00502DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00502DD6
GetCurrentThreadId.KERNEL32 ref: 00502DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00502DE4

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 097a83826f070e954b040eaea6b2d4abb3a526baea9b79ebbed1f7b4a9a734bc
Instruction ID: 8d33e1e634447e37646839da92f001e1895ffce6b718fbeecb5c3aa6df1baeb0
Opcode Fuzzy Hash: 097a83826f070e954b040eaea6b2d4abb3a526baea9b79ebbed1f7b4a9a734bc
Instruction Fuzzy Hash: 8BE092B21016247BDB201B769C0EFEB3E6CFF62BA1F000015F105E11809AA0C845E7B0

Function 00538863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004B9693
Part of subcall function 004B9639: SelectObject.GDI32(?,00000000), ref: 004B96A2
Part of subcall function 004B9639: BeginPath.GDI32(?), ref: 004B96B9
Part of subcall function 004B9639: SelectObject.GDI32(?,00000000), ref: 004B96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00538887
LineTo.GDI32(?,?,?), ref: 00538894
EndPath.GDI32(?), ref: 005388A4
StrokePath.GDI32(?), ref: 005388B2

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: d99dcfa4e20215ed46c4fa748ea326d4bceecab8663b01ec21ed7ca19881a954
Instruction ID: 3b20442d5cd036a0ab05fdd0fb10e11a328a9e87bb7a3d33fb0e049cc565829d
Opcode Fuzzy Hash: d99dcfa4e20215ed46c4fa748ea326d4bceecab8663b01ec21ed7ca19881a954
Instruction Fuzzy Hash: 64F09A36001658BADB121F98AC0DFCE3F69AF26310F048000FB02751E2C7740566EBA9

Function 004B98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004B98CC
SetTextColor.GDI32(?,?), ref: 004B98D6
SetBkMode.GDI32(?,00000001), ref: 004B98E9
GetStockObject.GDI32(00000005), ref: 004B98F1

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 958727ed270985df0c1bb973a90d1b6e17349530102c0186a92df04a83dc49fb
Instruction ID: 443aaad805d5d1af21c373a5cd13621c8413dadd651590a930f5667639aa3946
Opcode Fuzzy Hash: 958727ed270985df0c1bb973a90d1b6e17349530102c0186a92df04a83dc49fb
Instruction Fuzzy Hash: 5FE06531244244AADB215B74AC09BE93F10AB21335F04821AF7F6642E1C3754644EB10

Function 0050162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00501634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005011D9), ref: 0050163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005011D9), ref: 00501648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005011D9), ref: 0050164F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 093ab03acb7348e30903603ee23a95b5e1d0e3ffbee112fd2e780f4383a1b0b3
Instruction ID: d5efe91cd9ff4fbbfb015a313485a325f3acf7015ce65f4081a098f7e4048347
Opcode Fuzzy Hash: 093ab03acb7348e30903603ee23a95b5e1d0e3ffbee112fd2e780f4383a1b0b3
Instruction Fuzzy Hash: 76E08C32602211EBD7201FE0AE0DB8B3F7CBF64792F148808F285E9080E7348448DB65

Function 004FD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004FD858
GetDC.USER32(00000000), ref: 004FD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004FD882
ReleaseDC.USER32(?), ref: 004FD8A3

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9daf12899fc412e9e4e213a591443a906eeb76c853061b6e60a061a56c1ee2a3
Instruction ID: f129274bbd6e7db1d7e2c3fcd5283e7fd029ebcfe0c7759564622daf46e307e0
Opcode Fuzzy Hash: 9daf12899fc412e9e4e213a591443a906eeb76c853061b6e60a061a56c1ee2a3
Instruction Fuzzy Hash: 43E0E5B5800204DFCB41AFA5984D66DBFB2AB18310F10804AF846A7360C7388906AF55

Function 004FD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004FD86C
GetDC.USER32(00000000), ref: 004FD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004FD882
ReleaseDC.USER32(?), ref: 004FD8A3

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f62ac233bc2d8d815bc994d2aa93530e7725121a06c20af5b338454609a5a34d
Instruction ID: ad6c514245c903b57ef1b59546cc270cb495f9f85fb34e573c86749a72dc6beb
Opcode Fuzzy Hash: f62ac233bc2d8d815bc994d2aa93530e7725121a06c20af5b338454609a5a34d
Instruction Fuzzy Hash: 07E012B5C00200EFCB40AFA4D84D66DBFB1BB28310F108049F84AF7360CB38990AAF50

Function 00514D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 004A7620: _wcslen.LIBCMT ref: 004A7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00514ED4

Strings

*, xrefs: 00514E10
LPT, xrefs: 00514DFB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 3b04869bff7366de45d3c4d1839960e5164409847c9f155845c2b4290f5a8310
Instruction ID: 36a65a20b3a93545ab86ca95f936f6d09b2a099558a0d8841fed13425310b60c
Opcode Fuzzy Hash: 3b04869bff7366de45d3c4d1839960e5164409847c9f155845c2b4290f5a8310
Instruction Fuzzy Hash: 61915E75A002049FDB14DF58C484EAABBF5BF45308F199099E80A9F3A2D735ED86CF91

Function 004CE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004CE30D

Strings

pow, xrefs: 004CE2E5, 004CE302

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cdf4fb59efcf2ec17438f1506c2760a4e755e14d2357c72bd03bacccbcb749b7
Instruction ID: 45b4b41e5925aeeb7807ca2c04f498ff121126dfb56d6c7c9e605a5baff77266
Opcode Fuzzy Hash: cdf4fb59efcf2ec17438f1506c2760a4e755e14d2357c72bd03bacccbcb749b7
Instruction Fuzzy Hash: 13518D69A0C20196CB157715C952BBB3B949B10744F708D9FF495423F9FB3C8C86AA4E

Function 00527771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(004F569E,00000000,?,0053CC08,?,00000000,00000000), ref: 005278DD

Part of subcall function 004A6B57: _wcslen.LIBCMT ref: 004A6B6A

CharUpperBuffW.USER32(004F569E,00000000,?,0053CC08,00000000,?,00000000,00000000), ref: 0052783B

Strings

<sV, xrefs: 005277C8

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sV
API String ID: 3544283678-1412045586
Opcode ID: 484fbfc460aadac8f981da02259d8654dfd7745612b69cc15d9b1c48f4f49689
Instruction ID: 899187c45e3e2040a2371c17e4dae5f06f11e0ddff366f3b2762b13bc967e8e7
Opcode Fuzzy Hash: 484fbfc460aadac8f981da02259d8654dfd7745612b69cc15d9b1c48f4f49689
Instruction Fuzzy Hash: 1E61827291422CAACF04FBA5DC91DFDB778BF2A304F44452AF502A3091EF385A45CBA4

Function 004BE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 004BE1B1

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 8f7aaec8504f68e44cd62453258bd9fd7e265ef9de8166f3aa3c42c1a532df5b
Instruction ID: 44632e7e6f3e0564b494622d4921408d61d46a49b7a331f92f8c40a7900ff3c6
Opcode Fuzzy Hash: 8f7aaec8504f68e44cd62453258bd9fd7e265ef9de8166f3aa3c42c1a532df5b
Instruction Fuzzy Hash: C051243550024ADFDB18EF2AC0416FA7BA4EF65311F24409BEA519B3E0D63C9D43C7A9

Function 004BF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 004BF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 004BF2BB

Strings

@, xrefs: 004BF2AF

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 7fe548b49b548bf98ed7a6eeb8ef80d5babad00ca642b774703882121b7ce072
Instruction ID: bf65c96f551f41c0d843f39aa7685733252eb6f9f3114372b4ef5695cad4d32b
Opcode Fuzzy Hash: 7fe548b49b548bf98ed7a6eeb8ef80d5babad00ca642b774703882121b7ce072
Instruction Fuzzy Hash: 775147714087449FD320AF11DC86BABBBF8FFA5304F81885EF1D9411A5EB748529CB6A

Function 00525745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005257E0
_wcslen.LIBCMT ref: 005257EC

Strings

CALLARGARRAY, xrefs: 005257E6, 005257EB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d98999c061862ac3be9959490ccf505cc7d2aae580e9e7377fd2f788ebf01f0c
Instruction ID: bbf2657d7e7b93e8e057491703371403dd388045f993d73541a16cb6a035758b
Opcode Fuzzy Hash: d98999c061862ac3be9959490ccf505cc7d2aae580e9e7377fd2f788ebf01f0c
Instruction Fuzzy Hash: E641AF31A001199FCB14DFA9D8859AEBFF5FF5A364F20402EE505A7291E7749D81CBA0

Function 0051D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0051D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0051D13A

Strings

|, xrefs: 0051D10B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6eaf2bcda5dda2a0e707028a186d35fdfff683d85ff69ef012e5d2c1a9401709
Instruction ID: 1c60f811d0d0181644e71e8111014fd8e2ddb44a73f565531bb1eae0c78896b1
Opcode Fuzzy Hash: 6eaf2bcda5dda2a0e707028a186d35fdfff683d85ff69ef012e5d2c1a9401709
Instruction Fuzzy Hash: 0A313971D00219ABDF11EFA5CC85AEFBFB9FF15304F00001AE815A6161D739AA46CB64

Function 0053356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00533621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0053365C

Strings

static, xrefs: 005335BC

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8bf665694fa225d6b8ecbd3bcc3b7a030ae7a60145f47f5c72eb2be5b50ee099
Instruction ID: c998ad3adc2ca76f86ebd8111a28b9c204b2961cdecff576290e74a5a81f9634
Opcode Fuzzy Hash: 8bf665694fa225d6b8ecbd3bcc3b7a030ae7a60145f47f5c72eb2be5b50ee099
Instruction Fuzzy Hash: 7131BC71100204AEDB20DF68DC81EFB7BA9FF98724F00861DF8A5D7280DA34AD91D760

Function 00534537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0053461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00534634

Strings

', xrefs: 0053458E

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4034bc6a45c4895b019fb4269aa8b7fe6823ec28ae8396425c421b53dca6cb67
Instruction ID: c4cc85ff7ef4598fcb525e1e5caceeada0ffb34427b4ba578ba9bd18627366b1
Opcode Fuzzy Hash: 4034bc6a45c4895b019fb4269aa8b7fe6823ec28ae8396425c421b53dca6cb67
Instruction Fuzzy Hash: A8313674E0030A9FDB14CFA9C981BEABBB5FF09300F10406AE905AB381D770A951DF90

Function 005331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0053327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00533287

Strings

Combobox, xrefs: 00533249

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b98bab13de2ddff3c078119b9f0b81d0c52c83d9319f7b6f5dfaced4265b18ab
Instruction ID: 4904c9cff823fb83b59bb6601bbdac89e43270bf6ddbdd70fd729af83ee9f283
Opcode Fuzzy Hash: b98bab13de2ddff3c078119b9f0b81d0c52c83d9319f7b6f5dfaced4265b18ab
Instruction Fuzzy Hash: B211C4753002087FFF259F94DC85EBB3F6AFB98364F104229F9189B290D6719D519760

Function 00533710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004A604C
Part of subcall function 004A600E: GetStockObject.GDI32(00000011), ref: 004A6060
Part of subcall function 004A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 004A606A

GetWindowRect.USER32(00000000,?), ref: 0053377A
GetSysColor.USER32(00000012), ref: 00533794

Strings

static, xrefs: 00533757

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 786f9ff2a31b37105e844dc781cd1ee72d4d4d92133bc40f6dfc543ccab83b77
Instruction ID: baf79651767c658c3b45e4968665665dfacb80a1a9d5b180a54363a0a223eada
Opcode Fuzzy Hash: 786f9ff2a31b37105e844dc781cd1ee72d4d4d92133bc40f6dfc543ccab83b77
Instruction Fuzzy Hash: FC1137B261020AAFDF00DFA8CC46EFA7BB8FB18314F014919F955E2250E735E965DB60

Function 0051CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0051CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0051CDA6

Strings

<local>, xrefs: 0051CD66

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 44e2fcd436ce0fad51602fa6b35841311545111bb3389995fcc1dcc95f92c961
Instruction ID: 33ef7326ec2905d078a014901a8ffdad61f5711caadb519ee5c2934927c509e0
Opcode Fuzzy Hash: 44e2fcd436ce0fad51602fa6b35841311545111bb3389995fcc1dcc95f92c961
Instruction Fuzzy Hash: 031106712816717AE7344B669C44EE7BE6CFF127A4F00422AB10993180D3729880D6F0

Function 00533429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005334BA

Strings

edit, xrefs: 0053348F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 40979a89ab09d2eb0f6071e356e887fd88cff883087a066fe2c6b3439081aef0
Instruction ID: dd1b382972fcb108f3dab821263109f8d69649494d54d31940a8fb6232ed4534
Opcode Fuzzy Hash: 40979a89ab09d2eb0f6071e356e887fd88cff883087a066fe2c6b3439081aef0
Instruction Fuzzy Hash: A4118F71100208ABEF118F64DC48ABB3F6AFB15378F504724F965971E0C775DC95A750

Function 00506C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00506CB6
_wcslen.LIBCMT ref: 00506CC2

Strings

STOP, xrefs: 00506CBC, 00506CC1

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: e17cc9151a4396ced5c19982e7a2a7eb59451fc421d4d692052464d76a16b415
Instruction ID: 9d9ce37dd45d038d1336190e24b8338c7cbf4bcd4b08c6664f911304e023dcd2
Opcode Fuzzy Hash: e17cc9151a4396ced5c19982e7a2a7eb59451fc421d4d692052464d76a16b415
Instruction Fuzzy Hash: D0010033A005278BDB20AFBEDC819BF7BA4FB61714B400929E862971D0EB35DC20C650

Function 00501CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

Part of subcall function 00503CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00503CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00501D4C

Strings

ListBox, xrefs: 00501D16
ComboBox, xrefs: 00501CEB

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e204ba1cd676857f908134dd75d97995d476d91ec5aba05e0a96c2d4bead502a
Instruction ID: f293982367168cc48cfa70f9f5d4fab259e923d22f58f21dd7b0d79bba33c03c
Opcode Fuzzy Hash: e204ba1cd676857f908134dd75d97995d476d91ec5aba05e0a96c2d4bead502a
Instruction Fuzzy Hash: 54012832600614ABCB04EBA4CC15CFE7B68FF63394B04090EF822673D1EA345D088765

Function 00501BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

Part of subcall function 00503CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00503CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00501C46

Strings

ListBox, xrefs: 00501C10
ComboBox, xrefs: 00501BE5

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1926c22245ab8f0eb2374fd2147f5139d5e15a81732f69fae528599af4c12e27
Instruction ID: 9c048dbc739b9ca1be6a009e7a35006915bdf225206776df23ae6f72da1a0cae
Opcode Fuzzy Hash: 1926c22245ab8f0eb2374fd2147f5139d5e15a81732f69fae528599af4c12e27
Instruction Fuzzy Hash: 6A01A77568150467DB18EB90C9569FF7BA8BF62384F14001EF406772C1EA24DE4886BA

Function 00501C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

Part of subcall function 00503CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00503CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00501CC8

Strings

ListBox, xrefs: 00501C94
ComboBox, xrefs: 00501C69

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f79dddbbc389799ebdb37e078695481d52c117b6a5dd15cea72fa0442ed0c5a8
Instruction ID: f38c0adfaa07a43d6e1b8306cc386cd0b6461b0394694200bef91f8ccab6243d
Opcode Fuzzy Hash: f79dddbbc389799ebdb37e078695481d52c117b6a5dd15cea72fa0442ed0c5a8
Instruction Fuzzy Hash: 1801DB7168091467DB14E795CA16AFE7BACBF22384F14001AB802772C1EA24DF08C676

Function 004BA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004BA529

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

Strings

3yO, xrefs: 004BA545, 004BA54D, 004BA552
,%W, xrefs: 004BA509

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%W$3yO
API String ID: 2551934079-1505818326
Opcode ID: bc543461afa51c682f6f20f1acbd201078d797c612deb9447a8c6720b1b02cfe
Instruction ID: f53e469ed9d6429da6c0085407bd707cb484d9d21c60f0e0999593fe3d69dcbd
Opcode Fuzzy Hash: bc543461afa51c682f6f20f1acbd201078d797c612deb9447a8c6720b1b02cfe
Instruction Fuzzy Hash: EB01473260061497C620F76AE80BFAD3794EB05714F40002FF5061B2C2DE1CAE058AAF

Function 00501D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A9CB3: _wcslen.LIBCMT ref: 004A9CBD

Part of subcall function 00503CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00503CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00501DD3

Strings

ListBox, xrefs: 00501DA0
ComboBox, xrefs: 00501D75

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: fa6c9cdb87eec0ed026d3fee8f53701ecef7df5f5e389dd2940dba12b4a97695
Instruction ID: bf412ccb9ae13412f89a1c46b95b84b7c26180bf52ce80c4d8a1d1d37954439b
Opcode Fuzzy Hash: fa6c9cdb87eec0ed026d3fee8f53701ecef7df5f5e389dd2940dba12b4a97695
Instruction Fuzzy Hash: 10F0F472A50A1566DB04F7A4CC52AFE7B6CBF22394F04091AB822A72C1EA745D088269

Function 00538172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00573018,0057305C), ref: 005381BF
CloseHandle.KERNEL32 ref: 005381D1

Strings

\0W, xrefs: 0053818A

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0W
API String ID: 3712363035-2964257890
Opcode ID: 806ffd2868330db91f7a3f3faad87e5d4455e7f3463fa8d8ffde67ab9c1559cb
Instruction ID: 3e52303ecc5ea3dd370b0665aa9cc178f68d541cce87683614c39a6d3b9aa837
Opcode Fuzzy Hash: 806ffd2868330db91f7a3f3faad87e5d4455e7f3463fa8d8ffde67ab9c1559cb
Instruction Fuzzy Hash: 10F054B1640300BAE3106761BC49F773E5CEB15764F004425BB0CD51A1D6B98A58B3B9

Function 0052747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00527493
_wcslen.LIBCMT ref: 005274B9

Strings

3, 3, 16, 1, xrefs: 00527483

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 5ce6da662516d898fcf2dda017373aa50a9ae2554f86e56d9528ca5a7db5cb91
Instruction ID: 87d2eaac3da569ca4637e88e0eb91919e6f37e410a1040002b74ee4bb7de6b98
Opcode Fuzzy Hash: 5ce6da662516d898fcf2dda017373aa50a9ae2554f86e56d9528ca5a7db5cb91
Instruction Fuzzy Hash: D8E023467043301056B13276BDC1E7F5E89EFCF754710182FF541C2296D6548D9153E4

Function 00500B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00500B23

Strings

AutoIt, xrefs: 00500B17
Error allocating memory., xrefs: 00500B1C

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 1b4581e10f62beea49310f53cbc5db4b65fca0d06751973ae99d06b82ff9d8d8
Instruction ID: 74c5b4bf9d45d5c1fcf063fee821a9b6fa854aae5b70f3898e20ab87236866b3
Opcode Fuzzy Hash: 1b4581e10f62beea49310f53cbc5db4b65fca0d06751973ae99d06b82ff9d8d8
Instruction Fuzzy Hash: 4AE0DF322843182AD21036967C03FDD7F88AF05B29F10042FFB98A55C38AE668A047BD

Function 004C0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004BF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,004C0D71,?,?,?,004A100A), ref: 004BF7CE

IsDebuggerPresent.KERNEL32(?,?,?,004A100A), ref: 004C0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004A100A), ref: 004C0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 004C0D7F

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a941c4d282a3f2eb31d2e52db6036fd0331b337941e6d6e184de53469fd48542
Instruction ID: e9aa9510a583e4a0a9d8cffeaeb491989c4659ca4650ccedc4df8788a7ee3714
Opcode Fuzzy Hash: a941c4d282a3f2eb31d2e52db6036fd0331b337941e6d6e184de53469fd48542
Instruction Fuzzy Hash: 7BE06D782007118BD3B09FB9E8047467FE4BB10744F00896EE886C6751DBB8E4489BA5

Function 004BE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004BE3D5

Strings

8%W, xrefs: 004BE3CA
0%W, xrefs: 004BE3B5

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%W$8%W
API String ID: 1385522511-4035536259
Opcode ID: d5d83704f45eb0b0296ac5f539e50b143d622e33f0b70ae5c04beed2dd481f0c
Instruction ID: 1f69bc4a2ba9e81a2d14da74906e0ff0a7689039fa3f9033d733b037681f50ca
Opcode Fuzzy Hash: d5d83704f45eb0b0296ac5f539e50b143d622e33f0b70ae5c04beed2dd481f0c
Instruction Fuzzy Hash: F9E02631400910CBC604972AB854EC833D1FB8432CF1061AFE90A8F2D39B3CA882B76D

Function 00513017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0051302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00513044

Strings

aut, xrefs: 00513038

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 695369698881ee7ebfed104cf866033a8ee3894335b33bb91e5098420e9fca2d
Instruction ID: 6d0475aaa81822c6108d0e5f5560412c7521e1853b75b4eedb95e13d31cbce47
Opcode Fuzzy Hash: 695369698881ee7ebfed104cf866033a8ee3894335b33bb91e5098420e9fca2d
Instruction Fuzzy Hash: C3D05E76500328A7DA60A7A4AC0EFCB3E6CDB04750F0002A1BA95E2191DAB09988CBD0

Function 004FD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004FD220

Strings

X64, xrefs: 004FD2A8
%.3d, xrefs: 004FD22B

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 019be8ea0fefb23ae746c606edf065606ec67fc13a0352b348efd956ba905eb4
Instruction ID: 0adc0d700385d783fb646e59963dab9290fae29aa48bd804f459f7e765931eef
Opcode Fuzzy Hash: 019be8ea0fefb23ae746c606edf065606ec67fc13a0352b348efd956ba905eb4
Instruction Fuzzy Hash: 45D01271C0810CEACB5097D0DC458FAB77DBB18301F518493FA06A2040E62CD50AA7AB

Function 00532356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0053236C
PostMessageW.USER32(00000000), ref: 00532373

Part of subcall function 0050E97B: Sleep.KERNEL32 ref: 0050E9F3

Strings

Shell_TrayWnd, xrefs: 00532365

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 28f81da632ee3243d799927b8233aa0cc388f09cc83f9eb56249acadc09f4b5e
Instruction ID: 96c47b905e32137e42beff1c0e1e4dc66f68651a05fa2b8cf7bf9afe6c58e237
Opcode Fuzzy Hash: 28f81da632ee3243d799927b8233aa0cc388f09cc83f9eb56249acadc09f4b5e
Instruction Fuzzy Hash: 0AD0C9323813107AE664A7709C0FFCA7E14AB55B10F1049167645BA2D0C9A0A8059B54

Function 00532322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0053232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0053233F

Part of subcall function 0050E97B: Sleep.KERNEL32 ref: 0050E9F3

Strings

Shell_TrayWnd, xrefs: 00532325

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0c49401e46ef1eb0f32d5b32845ad5d0d8e25733b3302d40be915435d1fe0e14
Instruction ID: a1013229b4392ea4bdb0ba0b2109e1855aaa2ae0fbe23ae92f185aa3d08b7db5
Opcode Fuzzy Hash: 0c49401e46ef1eb0f32d5b32845ad5d0d8e25733b3302d40be915435d1fe0e14
Instruction Fuzzy Hash: F0D0C936394310B6E664A7709C0FFCA7E14AB51B10F1049167645BA2D0C9A0A8059B54

Function 004DBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 004DBE93
GetLastError.KERNEL32 ref: 004DBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004DBEFC

Memory Dump Source

Source File: 00000004.00000002.1349120673.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000004.00000002.1349041878.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.000000000053C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1349912819.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350031764.000000000056C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1350073246.0000000000574000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ac344f206efb68be4a1ddb04eb51fafc70489ed11b32acd1ce30cd0aca8de915
Instruction ID: 8f1880ff1e1f0f762143e418acedc30fd187cd05994b955909a7acdf8acf2d31
Opcode Fuzzy Hash: ac344f206efb68be4a1ddb04eb51fafc70489ed11b32acd1ce30cd0aca8de915
Instruction Fuzzy Hash: E741E435600246EFCF218F65CC68AAB7BA5EF41310F16816FF959973A1DB388C01DB99

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000013.00000003.1487956690.0000023686B88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1423056006.0000023686BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1505994584.0000023686BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1475214618.0000023686BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1472038436.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1365373018.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1424522437.000002368645D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1472038436.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1365373018.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1424522437.000002368645D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1487956690.0000023686B88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1423056006.0000023686BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1505994584.0000023686BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1475214618.0000023686BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1478735631.0000023686515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1478735631.0000023686515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1349864735.000002367F773000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1472038436.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1365373018.000002368645D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1472038436.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1365373018.000002368645D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1424522437.000002368645D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2528028073.0000022599B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ ) equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2528028073.0000022599B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ ) equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2528028073.0000022599B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ ) equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2528782723.0000022A8CC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2528028073.0000022599B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2528782723.0000022A8CC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2528028073.0000022599B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1493185017.000002367FC1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2528782723.0000022A8CC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2528028073.0000022599B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1471128632.0000023686B8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1494641337.000002367EDC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1487956690.0000023686B88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1423056006.0000023686BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1520477637.00000236865E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1505994584.0000023686BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1494641337.000002367EDC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1480744041.000002367F38C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.7:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49888 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49893 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49894 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_79bc784b-8891-4895-bc65-536fbdf396da.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_79bc784b-8891-4895-bc65-536fbdf396da.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre