Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562255
MD5:	088bf96f7f07f9d38d2deeb897b64873
SHA1:	12f050450140a99f0b834c6dd9070e73116877f7
SHA256:	3fc67f9ae859f3da233203e40d88f00aff6f0c2c9c58d9d562ee8fe7cbf20c7a
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 5508 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 088BF96F7F07F9D38D2DEEB897B64873)

taskkill.exe (PID: 6960 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5732 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5628 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2628 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6960 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6140 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6912 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3964 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7252 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23394519-5634-4e38-af03-29850acb4b80} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 23d3be6e510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7872 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -parentBuildID 20230927232528 -prefsHandle 3648 -prefMapHandle 2912 -prefsLen 26151 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e42fb9f8-7b06-4a0a-8703-7e638740022d} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 23d3be7a710 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4240 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4920 -prefMapHandle 4916 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32652d90-4854-4b87-9fab-293d8e7df5cd} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 23d4e207510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 5508	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00ADEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00ADEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ADED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00ADED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00ADEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ACAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00ACAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AF9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00AF9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9f5f11d2-9
Source: file.exe, 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_247d062a-5
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_be8b0978-1
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6867d94b-c

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000213C7CC2E77 NtQuerySystemInformation,		18_2_00000213C7CC2E77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000213C7CC9E72 NtQuerySystemInformation,		18_2_00000213C7CC9E72

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ACD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00ACD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AC1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00AC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ACE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00ACE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A68060	0_2_00A68060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD2046	0_2_00AD2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC8298	0_2_00AC8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9E4FF	0_2_00A9E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9676B	0_2_00A9676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AF4873	0_2_00AF4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8CAA0	0_2_00A8CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6CAF0	0_2_00A6CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7CC39	0_2_00A7CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A96DD9	0_2_00A96DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7D065	0_2_00A7D065
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A691C0	0_2_00A691C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7B119	0_2_00A7B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A81394	0_2_00A81394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A81706	0_2_00A81706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8781B	0_2_00A8781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A819B0	0_2_00A819B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A67920	0_2_00A67920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7997D	0_2_00A7997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A87A4A	0_2_00A87A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A87CA7	0_2_00A87CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A81C77	0_2_00A81C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A99EEE	0_2_00A99EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEBE44	0_2_00AEBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A81F32	0_2_00A81F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000213C7CC2E77	18_2_00000213C7CC2E77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000213C7CC9E72	18_2_00000213C7CC9E72
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000213C7CCA59C	18_2_00000213C7CCA59C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_00000213C7CC9EB2	18_2_00000213C7CC9EB2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A69CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A80A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A7F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@33/34@72/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AD37B5 GetLastError,FormatMessageW,

0_2_00AD37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC10BF AdjustTokenPrivileges,CloseHandle,		0_2_00AC10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00AC16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AD51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00AD51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ACD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00ACD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AD648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00AD648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A642A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1660:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.1526622753.0000023D50C40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1572072674.0000023D57647000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1488405824.0000023D50C40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1481836001.0000023D576F6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.1572072674.0000023D57647000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.1572072674.0000023D57647000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.1572072674.0000023D57647000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.1572072674.0000023D57647000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.1572072674.0000023D57647000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.1572072674.0000023D57647000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.1572072674.0000023D57647000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.1572072674.0000023D57647000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23394519-5634-4e38-af03-29850acb4b80} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 23d3be6e510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -parentBuildID 20230927232528 -prefsHandle 3648 -prefMapHandle 2912 -prefsLen 26151 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e42fb9f8-7b06-4a0a-8703-7e638740022d} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 23d3be7a710 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4920 -prefMapHandle 4916 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32652d90-4854-4b87-9fab-293d8e7df5cd} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 23d4e207510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23394519-5634-4e38-af03-29850acb4b80} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 23d3be6e510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -parentBuildID 20230927232528 -prefsHandle 3648 -prefMapHandle 2912 -prefsLen 26151 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e42fb9f8-7b06-4a0a-8703-7e638740022d} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 23d3be7a710 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4920 -prefMapHandle 4916 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32652d90-4854-4b87-9fab-293d8e7df5cd} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 23d4e207510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.1443748234.0000023D57E01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: kbdus.pdb source: firefox.exe, 0000000E.00000003.1454912570.0000023D4B4E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1458152487.0000023D4B47D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1458152487.0000023D4B47D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1462706458.0000023D4B47D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.1443748234.0000023D57E01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1462706458.0000023D4B47D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdbGCTL source: firefox.exe, 0000000E.00000003.1454912570.0000023D4B4E2000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A642DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A80A76 push ecx; ret

0_2_00A80A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A7F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AF1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00AF1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96268

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_00000213C7CC2E77 rdtsc

18_2_00000213C7CC2E77

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Users\user\Desktop\file.exe TID: 1468	Thread sleep count: 110 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1468	Thread sleep count: 150 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00ACDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9C2A2 FindFirstFileExW,	0_2_00A9C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD68EE FindFirstFileW,FindClose,	0_2_00AD68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00AD698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ACD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ACD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AD9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AD979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00AD9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00AD5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A642DE

Source: firefox.exe, 00000012.00000002.2592300530.00000213C7D90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWFh
Source: firefox.exe, 00000010.00000002.2586446962.0000022D67DFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW ~
Source: firefox.exe, 00000012.00000002.2592300530.00000213C7D90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlldWz
Source: firefox.exe, 00000013.00000002.2585848731.00000226BC46A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW 6
Source: firefox.exe, 00000012.00000002.2584672064.00000213C750A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2592300530.00000213C7D90000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2591668862.00000226BC900000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.2592139443.0000022D68219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.2592300530.00000213C7D90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:Q,
Source: firefox.exe, 00000010.00000002.2586446962.0000022D67E28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: firefox.exe, 00000010.00000002.2593369837.0000022D68378000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2592300530.00000213C7D90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_00000213C7CC2E77 rdtsc

18_2_00000213C7CC2E77

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ADEAA2 BlockInput,

0_2_00ADEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A92622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A84CE8 mov eax, dword ptr fs:[00000030h]

0_2_00A84CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AC0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00AC0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A92622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A8083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A809D5 SetUnhandledExceptionFilter,	0_2_00A809D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A80C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A80C21

Source: C:\Users\user\Desktop\file.exe

0_2_00AC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AA2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AA2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ACB226 SendInput,keybd_event,

0_2_00ACB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AE22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00AE22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00AC0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AC1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00AC1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.1445997156.0000023D57E01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A80698 cpuid

0_2_00A80698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AD8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00AD8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ABD27A GetUserNameW,

0_2_00ABD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A9B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00A9B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A642DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5508, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5508, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00AE1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00AE1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.65.91	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.19.206	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000013.00000002.2587623210.00000226BC8C4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.1494881678.0000023D55A4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1537139531.0000023D55A4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483579336.0000023D55A4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540561173.0000023D55A4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1435156205.0000023D4CA60000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.1419377732.0000023D4FA3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1503384674.0000023D4FA36000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418815192.0000023D4FA40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1417490009.0000023D4FA44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1417962749.0000023D4FA45000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.2586892427.00000213C77E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2587623210.00000226BC88F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.1540561173.0000023D55A4B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.1481103957.0000023D5798C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1493545786.0000023D5798C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/notes/javascript-escapes#single	firefox.exe, 0000000E.00000003.1508269784.0000023D58697000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.1559068146.0000023D4D6F9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.1527436377.0000023D4E4CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390388336.0000023D4BA21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390520476.0000023D4BA40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390849921.0000023D4BA7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.1541915994.0000023D4E1C9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.1572191450.0000023D57633000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.microso	firefox.exe, 0000000E.00000003.1458152487.0000023D4B4D5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1454507479.0000023D4B4D3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1456188752.0000023D4B4D3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464952557.0000023D4B4D3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1463514896.0000023D4B4D3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1462706458.0000023D4B4D3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464695043.0000023D4B4D3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1454912570.0000023D4B4D3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1463790874.0000023D4B4D3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.1537605790.0000023D4F9DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390388336.0000023D4BA21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1496348881.0000023D53F4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390520476.0000023D4BA40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390849921.0000023D4BA7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.1550943307.0000023D4DF13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.1390655799.0000023D4BA60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390255205.0000023D4B800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390388336.0000023D4BA21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390520476.0000023D4BA40000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.1567903767.0000023D4F3B9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 0000000E.00000003.1481836001.0000023D57685000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.1536371933.0000023D57373000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 0000000E.00000003.1431014781.0000023D4CA96000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.1483579336.0000023D55AA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1544808947.0000023D4F9DF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.1538576808.0000023D4E1EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2586892427.00000213C770A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2587623210.00000226BC80C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.1434700766.0000023D4CB10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1433682166.0000023D4CA56000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.1572439207.0000023D5733A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000013.00000002.2587623210.00000226BC8C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.1544550478.0000023D53E4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549240798.0000023D53E5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.1433710720.0000023D4CA2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1433710720.0000023D4CA3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1434376736.0000023D4CA7E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.1498721496.0000023D4E392000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1428007061.0000023D4E396000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.1572439207.0000023D57326000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/account?=htA	firefox.exe, 00000013.00000002.2587041559.00000226BC7F0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.1541915994.0000023D4E1C9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000010.00000002.2588420109.0000022D681CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2586892427.00000213C77E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2591943052.00000226BCA03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://spocs.getpocket.com/	firefox.exe, 00000012.00000002.2586892427.00000213C775F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2586892427.00000213C7712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2587623210.00000226BC813000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.1433710720.0000023D4CA3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.1530804685.0000023D4BDE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1508269784.0000023D5868F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1491423926.0000023D4CBAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1429890800.0000023D4CAC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1494881678.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1431014781.0000023D4CA96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1397183908.0000023D4CAE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1430398763.0000023D4E387000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1397716317.0000023D4BDFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1428007061.0000023D4E39E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1532106446.0000023D4BDF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1397542631.0000023D4CAE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1397183908.0000023D4CAF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552745259.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1430398763.0000023D4E38B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1543449968.0000023D4CAD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1554593975.0000023D4F860000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483579336.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1501807297.0000023D4F416000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1520896112.0000023D57D0E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1435156205.0000023D4CA9D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.1550943307.0000023D4DF13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.1550943307.0000023D4DF13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.1494881678.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483579336.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.1494881678.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483579336.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.1419377732.0000023D4FA3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1503384674.0000023D4FA36000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418815192.0000023D4FA40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1417490009.0000023D4FA44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1417962749.0000023D4FA45000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.1560593905.0000023D4C8CE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.1450976415.0000023D57BC6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.1394574039.0000023D4B233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1500276038.0000023D4B22A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1394180447.0000023D4B22A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1393427076.0000023D4B233000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.1433710720.0000023D4CA3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.1550101071.0000023D4E11C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1542689365.0000023D4E11C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1548619379.0000023D4E11C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/	firefox.exe, 0000000E.00000003.1508269784.0000023D58697000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.1489476496.0000023D4F05D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547261779.0000023D4F05D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.1434700766.0000023D4CB10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1433710720.0000023D4CA2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1433769710.0000023D4CA4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1433682166.0000023D4CA56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1433710720.0000023D4CA3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.1394574039.0000023D4B233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1500276038.0000023D4B22A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1394180447.0000023D4B22A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1393427076.0000023D4B233000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.1572439207.0000023D5733A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.1451838919.0000023D573E4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.1390849921.0000023D4BA7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000E.00000003.1390655799.0000023D4BA60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1497166420.0000023D53F5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1538536857.0000023D4E214000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390255205.0000023D4B800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390388336.0000023D4BA21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1496348881.0000023D53F4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390520476.0000023D4BA40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390849921.0000023D4BA7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	firefox.exe, 00000010.00000002.2588420109.0000022D681CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2586892427.00000213C77E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2591943052.00000226BCA03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.2587456908.0000022D67F30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2590787730.00000213C7C60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2586590184.00000226BC5A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://twitter.com/	firefox.exe, 0000000E.00000003.1536371933.0000023D57373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1488721461.0000023D4F9DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1537605790.0000023D4F9DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1544808947.0000023D4F9DF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000E.00000003.1434700766.0000023D4CB10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1433682166.0000023D4CA56000.00000004.00000800.00020000.00000000.sdmp	false	high
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 0000000E.00000003.1394574039.0000023D4B233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1500276038.0000023D4B22A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1394180447.0000023D4B22A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1393427076.0000023D4B233000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/complete/search	firefox.exe, 0000000E.00000003.1418016139.0000023D4FA38000.00000004.00000800.00020000.00000000.sdmp	false	high
https://watch.sling.com/	firefox.exe, 0000000E.00000003.1542618768.0000023D4E13B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.com/firefox/new_tab_learn_more/	firefox.exe, 0000000E.00000003.1545063612.0000023D4F964000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1488965166.0000023D4F964000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1537928659.0000023D4F964000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	firefox.exe, 00000010.00000002.2588420109.0000022D681CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2586892427.00000213C77E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2591943052.00000226BCA03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://github.com/google/closure-compiler/issues/3177	firefox.exe, 0000000E.00000003.1419377732.0000023D4FA3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1503384674.0000023D4FA36000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418815192.0000023D4FA40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1417490009.0000023D4FA44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1417962749.0000023D4FA45000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/complete/	firefox.exe, 0000000E.00000003.1559358536.0000023D4CDAD000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562255
Start date and time:	2024-11-25 12:07:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@33/34@72/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.32.237.164, 52.27.142.243, 34.209.229.249, 172.217.17.78, 88.221.134.209, 88.221.134.155, 172.217.17.74
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, azureedge-t-prod.trafficmanager.net, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
06:08:22	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	https://protect-us.mimecast.com/s/N4SFCv2zvkHW7wOAuzlFYe	Get hash	malicious	Unknown	Browse	34.36.49.68
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	http://www.kalenderpedia.de	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://protect-us.mimecast.com/s/N4SFCv2zvkHW7wOAuzlFYe	Get hash	malicious	Unknown	Browse	199.232.215.52
	http://propdfhub.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://linktr.ee/priyanka662	Get hash	malicious	Gabagool	Browse	151.101.130.137
ATGS-MMD-ASUS	https://protect-us.mimecast.com/s/N4SFCv2zvkHW7wOAuzlFYe	Get hash	malicious	Unknown	Browse	34.36.49.68
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dea8bdd6-ded2-44c3-b4aa-716f26b8b3f0.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.171243686628297
Encrypted:	false
SSDEEP:	192:aMvMXdidMdXcbhbVbTbfbRbObtbyEl7n5roJA6unSrDtTkd/S9P:aFhcNhnzFSJZrb1nSrDhkd/cP
MD5:	38ECFED9F26A4EE6888A41C01A281CEC
SHA1:	53C1D78F3343AE597210EDC69B65AB6462134DAA
SHA-256:	5F59E3D0DDFD40C6DF0CF173C94DCEC1F48107D71CDB194B899971818039F28B
SHA-512:	72AC8909799A4E3BBF00002570DD1C12F381DB253B14551D238EB996A9B282EC1443A40214BFF383182ED12C93712260AEE428A451F29535C33793140AA0FC30
Malicious:	false
Preview:	{"type":"uninstall","id":"dea8bdd6-ded2-44c3-b4aa-716f26b8b3f0","creationDate":"2024-11-25T12:47:08.686Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dea8bdd6-ded2-44c3-b4aa-716f26b8b3f0.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.171243686628297
Encrypted:	false
SSDEEP:	192:aMvMXdidMdXcbhbVbTbfbRbObtbyEl7n5roJA6unSrDtTkd/S9P:aFhcNhnzFSJZrb1nSrDhkd/cP
MD5:	38ECFED9F26A4EE6888A41C01A281CEC
SHA1:	53C1D78F3343AE597210EDC69B65AB6462134DAA
SHA-256:	5F59E3D0DDFD40C6DF0CF173C94DCEC1F48107D71CDB194B899971818039F28B
SHA-512:	72AC8909799A4E3BBF00002570DD1C12F381DB253B14551D238EB996A9B282EC1443A40214BFF383182ED12C93712260AEE428A451F29535C33793140AA0FC30
Malicious:	false
Preview:	{"type":"uninstall","id":"dea8bdd6-ded2-44c3-b4aa-716f26b8b3f0","creationDate":"2024-11-25T12:47:08.686Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.936508280177586
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLGs8P:8S+Oc+UAOdwiOdKeQjDLGs8P
MD5:	DCF008BDE0CAEB35612CCB75E131FFDF
SHA1:	A17E55EAA8462122EABCDC614C3AE9EA330A09DD
SHA-256:	595A9447CA4C71973933312680C7F6D5C033137D410EF6B09F01271FF294D75B
SHA-512:	23D2AF70DF5307E8037F9159E8032A57EE5670037D875B0970012454F66C33E63B37C549FBDC2FB7F2B831B9B177240D823BBE7294E12D87F6B4E19D549C836D
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.936508280177586
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLGs8P:8S+Oc+UAOdwiOdKeQjDLGs8P
MD5:	DCF008BDE0CAEB35612CCB75E131FFDF
SHA1:	A17E55EAA8462122EABCDC614C3AE9EA330A09DD
SHA-256:	595A9447CA4C71973933312680C7F6D5C033137D410EF6B09F01271FF294D75B
SHA-512:	23D2AF70DF5307E8037F9159E8032A57EE5670037D875B0970012454F66C33E63B37C549FBDC2FB7F2B831B9B177240D823BBE7294E12D87F6B4E19D549C836D
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07325424731311561
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	E562E1D247B95FDD9D053A3F3ACE31AF
SHA1:	0AF0B8FDAD2C9DBF75D0FB7D776851C93EEF7BE8
SHA-256:	07D6AF4AA887972A12F132EAF9693E74CF3564728163E01E47877778F894B15A
SHA-512:	9B5437EFA9A85881F36C1388DB57ECBA034C9B79546A7746AED08CCE8FC0E3E207A442659ACF0F0ED81164089B6E2571C1FFAC6DE4CF8BB1C0805E7B1BF00185
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03446739413707257
Encrypted:	false
SSDEEP:	3:GtlstFvH696b77iW1lstFvH696b77i1lT89//alEl:GtWto96b771Wto96b7yJ89XuM
MD5:	8E4B91C742517362F7236D3754993517
SHA1:	423CB1A4A3AE841232B9B0E34A2608155ABCCDB3
SHA-256:	68872376ABEC82D03437D9E0F41C50D74B22EBF79EBD3775E63C550DF801A623
SHA-512:	445DA5C8678BBF92E0CA1213F2D5B112AD8E549A44CDC3D50118A59EEB3F01210A1F1ABD597D9E47FB2C237FF7C723AA8B0D3AB04C1BCB63FE5345FA37EC8C17
Malicious:	false
Preview:	..-.....................x....v"h'.......VC.)......-.....................x....v"h'.......VC.)............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03963053308770314
Encrypted:	false
SSDEEP:	3:Ol1h2ClACC9rr/8Ll8rEXsxdwhml8XW3R2:K/2wLl8dMhm93w
MD5:	A1083F58CAE8863DB3AF5D95F92A6D61
SHA1:	08C28E4887D8F7F1518901FADFDECB77028AF65C
SHA-256:	F7B7A9A0FA9FFB7A2CC7B7BD12FCC3F015FEE3970A82E6569A4202C4F70C30B6
SHA-512:	3DDF9437E639BF0B6B35D6EEC7E2CD9C1690334723177A72EA1D59A8C20383EA0029583B3FCC93744529557F62636368D6943D1C521232064ED4FFC4A6B132F8
Malicious:	false
Preview:	7....-..........'........m.:{S..........'........xh"v.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.478331716101015
Encrypted:	false
SSDEEP:	192:l3nSRkyYbBp6NqUCaX16VN3NeX5RHNBw8dhnSl:EeCqUUDdwPwe0
MD5:	238D0909DA088EE395F6CCE28C81B0A7
SHA1:	3DE543886AD558BD7043A8C86EF573FFFA4F460E
SHA-256:	A1E91A8F3800D707B219D89AAA7D6B52A01DBE4CC759FB19C38BD40F0C218216
SHA-512:	381796C216E7D3C0E22E89A6A34FCCD998A77E46A51396E22A43CF1BB5D3421C33A8B0629852B0AFDBC78BF45205F82E9FA72D22CEDCCFF104D80D0D260F6B43
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732538798);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732538798);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732538798);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173253

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.478331716101015
Encrypted:	false
SSDEEP:	192:l3nSRkyYbBp6NqUCaX16VN3NeX5RHNBw8dhnSl:EeCqUUDdwPwe0
MD5:	238D0909DA088EE395F6CCE28C81B0A7
SHA1:	3DE543886AD558BD7043A8C86EF573FFFA4F460E
SHA-256:	A1E91A8F3800D707B219D89AAA7D6B52A01DBE4CC759FB19C38BD40F0C218216
SHA-512:	381796C216E7D3C0E22E89A6A34FCCD998A77E46A51396E22A43CF1BB5D3421C33A8B0629852B0AFDBC78BF45205F82E9FA72D22CEDCCFF104D80D0D260F6B43
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732538798);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732538798);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732538798);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173253

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.3337306134337386
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSBoVFWLXnIgUz/pnxQwRlszT5sKhiT3eHVVPNZT5amhuj3pOOcUb2d:GUpOxDVIQnR6C3etZT545edHd
MD5:	8A29FE97B7AD51BF94445A9E90D95DCA
SHA1:	E61FB25F10310D5BC5810AB70EC1B08BC7A4D7C7
SHA-256:	8F51AE483EF5983D5BDA5F5A0B73B4D22CBF3BCEDA0935F3CB30D355546C89A6
SHA-512:	CD11C0BB7C0D25A3AA23DA480D7C8F134ABA917D631710671608E1588BE48B361263DC1F6EA1CA3EAA29DA32B2088D193F5819A33010678C393A2D10FE8AA1FA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8f57c843-823c-4d7b-bc75-211f8a7e0bd6}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732538802352,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`767739...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....771915,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.3337306134337386
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSBoVFWLXnIgUz/pnxQwRlszT5sKhiT3eHVVPNZT5amhuj3pOOcUb2d:GUpOxDVIQnR6C3etZT545edHd
MD5:	8A29FE97B7AD51BF94445A9E90D95DCA
SHA1:	E61FB25F10310D5BC5810AB70EC1B08BC7A4D7C7
SHA-256:	8F51AE483EF5983D5BDA5F5A0B73B4D22CBF3BCEDA0935F3CB30D355546C89A6
SHA-512:	CD11C0BB7C0D25A3AA23DA480D7C8F134ABA917D631710671608E1588BE48B361263DC1F6EA1CA3EAA29DA32B2088D193F5819A33010678C393A2D10FE8AA1FA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8f57c843-823c-4d7b-bc75-211f8a7e0bd6}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732538802352,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`767739...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....771915,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.3337306134337386
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSBoVFWLXnIgUz/pnxQwRlszT5sKhiT3eHVVPNZT5amhuj3pOOcUb2d:GUpOxDVIQnR6C3etZT545edHd
MD5:	8A29FE97B7AD51BF94445A9E90D95DCA
SHA1:	E61FB25F10310D5BC5810AB70EC1B08BC7A4D7C7
SHA-256:	8F51AE483EF5983D5BDA5F5A0B73B4D22CBF3BCEDA0935F3CB30D355546C89A6
SHA-512:	CD11C0BB7C0D25A3AA23DA480D7C8F134ABA917D631710671608E1588BE48B361263DC1F6EA1CA3EAA29DA32B2088D193F5819A33010678C393A2D10FE8AA1FA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8f57c843-823c-4d7b-bc75-211f8a7e0bd6}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732538802352,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`767739...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....771915,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036637926263884
Encrypted:	false
SSDEEP:	48:YrSAYjCeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAct:ycm+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	2A9A15EC91A830EE160E24BD0826BE7E
SHA1:	EB4F90DA69E8E04DFD19BFF1610171EEACAF215F
SHA-256:	2868639018D1C4F23C04CFB732DA05A09E64FED901A67D0F207B5DE17B0164BF
SHA-512:	3FB62750A3A974CB0A7DEE3F2D26A6870BCA31630CD397FCF21BEA2FE50D7B715482FFC31B9910FC38226E7CAB7DCA7702E6F00E928B4910976E69BC31DA0C32
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-25T12:46:17.412Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036637926263884
Encrypted:	false
SSDEEP:	48:YrSAYjCeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAct:ycm+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	2A9A15EC91A830EE160E24BD0826BE7E
SHA1:	EB4F90DA69E8E04DFD19BFF1610171EEACAF215F
SHA-256:	2868639018D1C4F23C04CFB732DA05A09E64FED901A67D0F207B5DE17B0164BF
SHA-512:	3FB62750A3A974CB0A7DEE3F2D26A6870BCA31630CD397FCF21BEA2FE50D7B715482FFC31B9910FC38226E7CAB7DCA7702E6F00E928B4910976E69BC31DA0C32
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-25T12:46:17.412Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.59038313181181
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	921'600 bytes
MD5:	088bf96f7f07f9d38d2deeb897b64873
SHA1:	12f050450140a99f0b834c6dd9070e73116877f7
SHA256:	3fc67f9ae859f3da233203e40d88f00aff6f0c2c9c58d9d562ee8fe7cbf20c7a
SHA512:	2e98491e4a3169c52d1acdfeceb18d01ffaa9229993dc97c2f36042157069244c28f0047c35a29d7579a5e4ecbb5320d333f7d82ec77724cf6ccb016cf6acc96
SSDEEP:	24576:JqDEvCTbMWu7rQYlBQcBiT6rprG8aH94s:JTvC/MTQYxsWR7aH9
TLSH:	AA159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67445485 [Mon Nov 25 10:42:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F4864DEF7D3h
jmp 00007F4864DEF0DFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4864DEF2BDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4864DEF28Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F4864DF1E7Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F4864DF1EC8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F4864DF1EB1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa57c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa57c	0xa600	ff141df4a1bf187b98cad5be73bbffd0	False	0.3598691641566265	data	5.572569216650966	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1842	data			1.0017713365539453
RT_GROUP_ICON	0xddffc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde074	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde088	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde09c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde0b0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde18c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 12:08:21.563095093 CET	49724	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:21.563123941 CET	443	49724	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:21.563342094 CET	49724	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:21.568399906 CET	49724	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:21.568418980 CET	443	49724	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:21.573545933 CET	49725	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:21.573564053 CET	443	49725	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:21.586060047 CET	49725	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:21.587574959 CET	49725	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:21.587591887 CET	443	49725	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:21.637322903 CET	49726	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:21.637341022 CET	443	49726	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:21.639652967 CET	49726	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:21.641133070 CET	49726	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:21.641149044 CET	443	49726	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:22.154361010 CET	49727	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:22.274076939 CET	80	49727	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:22.274250031 CET	49727	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:22.274524927 CET	49727	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:22.394108057 CET	80	49727	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:22.505569935 CET	49733	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:22.505621910 CET	443	49733	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:22.505880117 CET	49733	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:22.507358074 CET	49733	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:22.507373095 CET	443	49733	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:22.600370884 CET	49734	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:22.600399971 CET	443	49734	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:22.600922108 CET	49734	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:22.613519907 CET	49734	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:22.613540888 CET	443	49734	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:22.623974085 CET	49735	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:22.623985052 CET	443	49735	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:22.624048948 CET	49735	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:22.624172926 CET	49735	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:22.624186993 CET	443	49735	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:22.831872940 CET	443	49724	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:22.831954956 CET	49724	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:22.837359905 CET	49736	443	192.168.2.7	34.160.144.191
Nov 25, 2024 12:08:22.837378025 CET	443	49736	34.160.144.191	192.168.2.7
Nov 25, 2024 12:08:22.838196039 CET	49736	443	192.168.2.7	34.160.144.191
Nov 25, 2024 12:08:22.838536024 CET	49736	443	192.168.2.7	34.160.144.191
Nov 25, 2024 12:08:22.838548899 CET	443	49736	34.160.144.191	192.168.2.7
Nov 25, 2024 12:08:22.842077971 CET	49724	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:22.842087984 CET	443	49724	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:22.842253923 CET	49724	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:22.842293978 CET	443	49724	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:22.842618942 CET	49737	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:22.842627048 CET	443	49737	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:22.842694044 CET	49724	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:22.842736006 CET	49737	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:22.844124079 CET	49737	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:22.844135046 CET	443	49737	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:23.330575943 CET	443	49725	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.330591917 CET	443	49725	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.331331968 CET	443	49725	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.332604885 CET	443	49726	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.333334923 CET	443	49726	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.338886976 CET	49725	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:23.338891983 CET	49726	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:23.338912010 CET	443	49725	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.338941097 CET	443	49726	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.347440004 CET	49725	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:23.347456932 CET	443	49725	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.347634077 CET	49725	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:23.347636938 CET	443	49725	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.347650051 CET	443	49725	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.348850965 CET	49726	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:23.348880053 CET	443	49726	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.348974943 CET	49726	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:23.349085093 CET	443	49726	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.352121115 CET	49739	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:23.352138042 CET	443	49739	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.356798887 CET	49726	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:23.356872082 CET	49739	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:23.358402967 CET	49739	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:23.358414888 CET	443	49739	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.454226971 CET	80	49727	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:23.459521055 CET	49727	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:23.463089943 CET	49740	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:23.463114023 CET	443	49740	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:23.463897943 CET	49740	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:23.465348959 CET	49740	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:23.465362072 CET	443	49740	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:23.567338943 CET	443	49725	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:23.567513943 CET	49725	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:23.579422951 CET	80	49727	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:23.589461088 CET	49727	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:23.727957964 CET	49741	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:23.834011078 CET	443	49733	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:23.834332943 CET	49733	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:23.838864088 CET	49733	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:23.838871956 CET	443	49733	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:23.838979006 CET	49733	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:23.839165926 CET	443	49733	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:23.839246988 CET	49733	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:23.847553015 CET	80	49741	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:23.847733974 CET	49741	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:23.847964048 CET	49741	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:23.888001919 CET	443	49735	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:23.888173103 CET	49735	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:23.891650915 CET	49735	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:23.891659021 CET	443	49735	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:23.891681910 CET	443	49734	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:23.891805887 CET	49734	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:23.891915083 CET	443	49735	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:23.896102905 CET	49735	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:23.896250963 CET	443	49735	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:23.896311045 CET	49735	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:23.896318913 CET	443	49735	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:23.896472931 CET	49734	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:23.896476984 CET	443	49734	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:23.896538019 CET	49734	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:23.896656990 CET	443	49734	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:23.896821022 CET	49734	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:23.967396021 CET	80	49741	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:24.033809900 CET	49743	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:24.033852100 CET	443	49743	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:24.034641027 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:24.039316893 CET	49743	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:24.040779114 CET	49743	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:24.040791988 CET	443	49743	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:24.107331038 CET	443	49735	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:24.108490944 CET	49735	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:24.145755053 CET	443	49736	34.160.144.191	192.168.2.7
Nov 25, 2024 12:08:24.146720886 CET	443	49737	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:24.148869038 CET	49736	443	192.168.2.7	34.160.144.191
Nov 25, 2024 12:08:24.148869038 CET	49737	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:24.152050972 CET	49736	443	192.168.2.7	34.160.144.191
Nov 25, 2024 12:08:24.152060032 CET	443	49736	34.160.144.191	192.168.2.7
Nov 25, 2024 12:08:24.152322054 CET	443	49736	34.160.144.191	192.168.2.7
Nov 25, 2024 12:08:24.154839993 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:24.156564951 CET	49736	443	192.168.2.7	34.160.144.191
Nov 25, 2024 12:08:24.156642914 CET	49736	443	192.168.2.7	34.160.144.191
Nov 25, 2024 12:08:24.156728029 CET	443	49736	34.160.144.191	192.168.2.7
Nov 25, 2024 12:08:24.157088041 CET	49737	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:24.157099962 CET	443	49737	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:24.157150030 CET	49737	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:24.157259941 CET	443	49737	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:24.168955088 CET	49736	443	192.168.2.7	34.160.144.191
Nov 25, 2024 12:08:24.168977976 CET	49737	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:24.168996096 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:24.169478893 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:24.177052975 CET	49745	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:24.177104950 CET	443	49745	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:24.177258968 CET	49745	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:24.178730965 CET	49745	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:24.178747892 CET	443	49745	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:24.247351885 CET	49746	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:24.247402906 CET	443	49746	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:24.250204086 CET	49746	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:24.251893997 CET	49746	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:24.251904011 CET	443	49746	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:24.288969040 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:24.400196075 CET	49747	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:24.400229931 CET	443	49747	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:24.400702953 CET	49747	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:24.400845051 CET	49747	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:24.400854111 CET	443	49747	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:24.733472109 CET	443	49740	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:24.733545065 CET	49740	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:24.761738062 CET	49740	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:24.761754990 CET	443	49740	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:24.761862993 CET	49740	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:24.762032032 CET	443	49740	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:24.762342930 CET	49740	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:24.987986088 CET	80	49741	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:24.988293886 CET	49741	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:25.108145952 CET	80	49741	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:25.108201027 CET	49741	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:25.140178919 CET	443	49739	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:25.140253067 CET	49739	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:25.140917063 CET	443	49739	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:25.144063950 CET	49739	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:25.147953033 CET	49739	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:25.147960901 CET	443	49739	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:25.148062944 CET	49739	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:25.148137093 CET	443	49739	142.250.181.78	192.168.2.7
Nov 25, 2024 12:08:25.148199081 CET	49739	443	192.168.2.7	142.250.181.78
Nov 25, 2024 12:08:25.299971104 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:25.305896997 CET	443	49743	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:25.313414097 CET	49743	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:25.317995071 CET	49743	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:25.318006039 CET	443	49743	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:25.318074942 CET	49743	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:25.318238020 CET	443	49743	34.117.188.166	192.168.2.7
Nov 25, 2024 12:08:25.329014063 CET	49743	443	192.168.2.7	34.117.188.166
Nov 25, 2024 12:08:25.344616890 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:25.484272003 CET	443	49745	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:25.484371901 CET	49745	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:25.489149094 CET	49745	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:25.489156961 CET	443	49745	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:25.489240885 CET	49745	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:25.489316940 CET	443	49745	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:25.489402056 CET	49745	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:25.512115002 CET	443	49746	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:25.512440920 CET	49746	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:25.653954983 CET	49746	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:25.653981924 CET	443	49746	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:25.654083014 CET	49746	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:25.654261112 CET	443	49746	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:25.657063007 CET	443	49747	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:25.658663034 CET	49746	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:25.658847094 CET	49747	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:25.661499977 CET	49747	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:25.661524057 CET	443	49747	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:25.661793947 CET	443	49747	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:25.664474010 CET	49747	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:25.664549112 CET	49747	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:25.664640903 CET	443	49747	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:25.669938087 CET	49747	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:25.669964075 CET	49747	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:25.838449955 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:25.839273930 CET	49753	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:25.958098888 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:25.958914042 CET	80	49753	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:25.959081888 CET	49753	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:25.959336042 CET	49753	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:25.979589939 CET	49755	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:25.979608059 CET	443	49755	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:25.980226040 CET	49755	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:25.981893063 CET	49755	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:25.981904030 CET	443	49755	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:26.079096079 CET	80	49753	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:26.162136078 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:26.216042042 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:26.233982086 CET	49753	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:26.244714022 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:26.249623060 CET	49757	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:26.249676943 CET	443	49757	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:26.251996994 CET	49758	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:26.252027035 CET	443	49758	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:26.262938976 CET	49757	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:26.263047934 CET	49758	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:26.263159990 CET	49757	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:26.263178110 CET	443	49757	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:26.364378929 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:26.385451078 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:26.395720959 CET	80	49753	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:26.472301960 CET	49758	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:26.472332001 CET	443	49758	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:26.475500107 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:26.595029116 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:26.889978886 CET	80	49753	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:26.893785954 CET	49753	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:27.282974005 CET	443	49755	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:27.284096956 CET	49755	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:27.288741112 CET	49755	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:27.288749933 CET	443	49755	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:27.288850069 CET	49755	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:27.288925886 CET	443	49755	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:27.289021015 CET	49755	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:27.516973972 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:27.562613010 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:27.570350885 CET	443	49757	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:27.570385933 CET	443	49757	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:27.570417881 CET	49757	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:27.573389053 CET	49757	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:27.573410034 CET	443	49757	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:27.574182034 CET	443	49757	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:27.576232910 CET	49757	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:27.576314926 CET	49757	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:27.576479912 CET	443	49757	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:27.576550961 CET	49757	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:27.774354935 CET	443	49758	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:27.774375916 CET	443	49758	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:27.778959036 CET	49758	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:27.783744097 CET	49758	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:27.783744097 CET	49758	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:27.783756018 CET	443	49758	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:27.784037113 CET	443	49758	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:27.788578987 CET	49758	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:28.372807980 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:28.492486954 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:28.696614027 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:28.743273020 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:32.885309935 CET	49779	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:32.885349035 CET	443	49779	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:32.885602951 CET	49780	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:32.885660887 CET	443	49780	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:32.885723114 CET	49781	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:32.885771036 CET	443	49781	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:32.886545897 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:32.887872934 CET	49782	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:32.887881994 CET	443	49782	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:32.889827967 CET	49779	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:32.889842033 CET	49780	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:32.889842987 CET	49781	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:32.889970064 CET	49782	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:32.889971018 CET	49779	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:32.889987946 CET	443	49779	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:32.890110016 CET	49781	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:32.890136003 CET	443	49781	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:32.890170097 CET	49780	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:32.890187025 CET	443	49780	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:32.891619921 CET	49782	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:32.891633034 CET	443	49782	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:33.006293058 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:33.209945917 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:33.254988909 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:33.427961111 CET	49783	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:33.427994967 CET	443	49783	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:33.430294037 CET	49783	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:33.431675911 CET	49783	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:33.431694984 CET	443	49783	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:33.554389954 CET	49785	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:33.554410934 CET	443	49785	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:33.556163073 CET	49785	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:33.556360006 CET	49785	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:33.556370974 CET	443	49785	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:34.147758007 CET	443	49779	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.147831917 CET	49779	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.195050001 CET	443	49782	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.195127964 CET	49782	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.195241928 CET	443	49781	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.195306063 CET	49781	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.200270891 CET	443	49780	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.200344086 CET	49780	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.315660000 CET	49779	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.315680027 CET	443	49779	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.316004992 CET	443	49779	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.317895889 CET	49781	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.317914009 CET	443	49781	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.318249941 CET	443	49781	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.320871115 CET	49780	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.320885897 CET	443	49780	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.321938038 CET	443	49780	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.327286959 CET	49779	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.327496052 CET	443	49779	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.327572107 CET	49779	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.327580929 CET	443	49779	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.327668905 CET	49781	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.327858925 CET	443	49781	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.328001976 CET	49781	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.328012943 CET	443	49781	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.328073978 CET	49780	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.328257084 CET	49780	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.328555107 CET	443	49780	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.328572989 CET	49779	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.328589916 CET	49781	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.328706980 CET	49780	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.641869068 CET	443	49783	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:34.653145075 CET	49783	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:34.721472979 CET	49782	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.721509933 CET	443	49782	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.721594095 CET	49782	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.721779108 CET	443	49782	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:34.722807884 CET	49783	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:34.722835064 CET	443	49783	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:34.722867966 CET	49783	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:34.723015070 CET	443	49783	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:34.723023891 CET	49782	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:34.723268986 CET	49783	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:35.108967066 CET	443	49785	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:35.114499092 CET	49785	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:35.312871933 CET	49785	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:35.312895060 CET	443	49785	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:35.313219070 CET	443	49785	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:35.316220999 CET	49785	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:35.316308022 CET	49785	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:35.316406012 CET	443	49785	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:35.316459894 CET	49785	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:35.362279892 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:35.481728077 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:35.685925961 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:35.744515896 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:35.984371901 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:35.985392094 CET	49791	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:35.985424995 CET	443	49791	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:35.986222982 CET	49791	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:35.986408949 CET	49791	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:35.986422062 CET	443	49791	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:35.997569084 CET	49792	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:35.997591019 CET	443	49792	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:35.997896910 CET	49792	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:35.999520063 CET	49792	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:35.999528885 CET	443	49792	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:36.103894949 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:36.308846951 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:36.361824036 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:37.215460062 CET	443	49792	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:37.215553999 CET	49792	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:37.290524006 CET	443	49791	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:37.290627956 CET	49791	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:37.737849951 CET	49791	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:37.737878084 CET	443	49791	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:37.738415956 CET	443	49791	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:37.741919994 CET	49792	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:37.741940022 CET	443	49792	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:37.742068052 CET	49792	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:37.742182016 CET	49791	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:37.742202997 CET	443	49792	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:37.742336988 CET	49791	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:37.742388010 CET	443	49791	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:37.743415117 CET	49791	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:37.743449926 CET	49791	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:37.743462086 CET	49792	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:37.745421886 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:37.748493910 CET	49797	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:37.748517990 CET	443	49797	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:37.748621941 CET	49797	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:37.750128984 CET	49797	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:37.750140905 CET	443	49797	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:37.865371943 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:38.069216013 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:38.072760105 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:38.114003897 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:38.192354918 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:38.397123098 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:38.436893940 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:39.007395029 CET	443	49797	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:39.007739067 CET	49797	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:39.012346983 CET	49797	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:39.012356997 CET	443	49797	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:39.012487888 CET	49797	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:39.012506008 CET	443	49797	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:39.014137983 CET	49797	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:39.016521931 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:39.020207882 CET	49803	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:39.020232916 CET	443	49803	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:39.020452023 CET	49803	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:39.021831989 CET	49803	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:39.021842003 CET	443	49803	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:39.136143923 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:39.340137005 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:39.343708992 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:39.386400938 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:39.463768959 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:39.667908907 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:39.718538046 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:40.280462027 CET	443	49803	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:40.280606985 CET	49803	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:40.286112070 CET	49803	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:40.286118984 CET	443	49803	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:40.286201000 CET	49803	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:40.286334038 CET	443	49803	34.120.208.123	192.168.2.7
Nov 25, 2024 12:08:40.286973000 CET	49803	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:08:40.289973021 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:40.409436941 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:40.613419056 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:40.617324114 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:40.658945084 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:40.736895084 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:40.940624952 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:40.991066933 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:44.862607002 CET	49814	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:44.862657070 CET	443	49814	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:44.867072105 CET	49814	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:44.868700027 CET	49814	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:44.868720055 CET	443	49814	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:46.084427118 CET	443	49814	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:46.084527016 CET	49814	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:46.091211081 CET	49814	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:46.091219902 CET	443	49814	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:46.091377020 CET	49814	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:46.091459036 CET	443	49814	34.107.243.93	192.168.2.7
Nov 25, 2024 12:08:46.091650009 CET	49814	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:08:46.095519066 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:46.215372086 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:46.419229031 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:46.424304962 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:46.460454941 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:46.544817924 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:46.748804092 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:46.792598963 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:48.723119974 CET	49825	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:48.723229885 CET	443	49825	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:48.723349094 CET	49825	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:48.723481894 CET	49825	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:48.723522902 CET	443	49825	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:48.760098934 CET	49826	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:48.760116100 CET	443	49826	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:48.760356903 CET	49826	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:48.761826038 CET	49826	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:48.761838913 CET	443	49826	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:48.859354973 CET	49827	443	192.168.2.7	151.101.65.91
Nov 25, 2024 12:08:48.859383106 CET	443	49827	151.101.65.91	192.168.2.7
Nov 25, 2024 12:08:48.859580994 CET	49827	443	192.168.2.7	151.101.65.91
Nov 25, 2024 12:08:48.859716892 CET	49827	443	192.168.2.7	151.101.65.91
Nov 25, 2024 12:08:48.859730005 CET	443	49827	151.101.65.91	192.168.2.7
Nov 25, 2024 12:08:48.860635996 CET	49828	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:48.860657930 CET	443	49828	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:48.860996008 CET	49828	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:48.861063957 CET	49828	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:48.861072063 CET	443	49828	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:48.906291962 CET	49829	443	192.168.2.7	35.201.103.21
Nov 25, 2024 12:08:48.906333923 CET	443	49829	35.201.103.21	192.168.2.7
Nov 25, 2024 12:08:48.906445980 CET	49829	443	192.168.2.7	35.201.103.21
Nov 25, 2024 12:08:48.907794952 CET	49829	443	192.168.2.7	35.201.103.21
Nov 25, 2024 12:08:48.907809973 CET	443	49829	35.201.103.21	192.168.2.7
Nov 25, 2024 12:08:49.993618011 CET	443	49825	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:49.993696928 CET	49825	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:49.996376991 CET	443	49826	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:49.996463060 CET	49826	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:49.997452021 CET	49825	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:49.997458935 CET	443	49825	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:49.997694016 CET	443	49825	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:50.002727985 CET	49825	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:50.002829075 CET	49825	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:50.002871037 CET	443	49825	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:50.003051996 CET	49826	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:50.003056049 CET	443	49826	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:50.003106117 CET	49826	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:50.003206968 CET	443	49826	35.190.72.216	192.168.2.7
Nov 25, 2024 12:08:50.003273964 CET	49825	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:50.003293037 CET	49826	443	192.168.2.7	35.190.72.216
Nov 25, 2024 12:08:50.006443977 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:50.121433020 CET	443	49828	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:50.121519089 CET	49828	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.124304056 CET	443	49827	151.101.65.91	192.168.2.7
Nov 25, 2024 12:08:50.125200033 CET	49828	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.125211954 CET	443	49828	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:50.125392914 CET	49827	443	192.168.2.7	151.101.65.91
Nov 25, 2024 12:08:50.125601053 CET	443	49828	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:50.125879049 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:50.128216982 CET	49827	443	192.168.2.7	151.101.65.91
Nov 25, 2024 12:08:50.128222942 CET	443	49827	151.101.65.91	192.168.2.7
Nov 25, 2024 12:08:50.128546953 CET	443	49827	151.101.65.91	192.168.2.7
Nov 25, 2024 12:08:50.131376982 CET	49828	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.131481886 CET	49828	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.131608009 CET	443	49828	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:50.131709099 CET	49827	443	192.168.2.7	151.101.65.91
Nov 25, 2024 12:08:50.131755114 CET	49827	443	192.168.2.7	151.101.65.91
Nov 25, 2024 12:08:50.131880999 CET	443	49827	151.101.65.91	192.168.2.7
Nov 25, 2024 12:08:50.131900072 CET	49828	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.132056952 CET	49827	443	192.168.2.7	151.101.65.91
Nov 25, 2024 12:08:50.145751953 CET	49835	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.145776987 CET	443	49835	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:50.146723986 CET	49836	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.146766901 CET	443	49836	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:50.148575068 CET	49835	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.149013042 CET	49836	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.149429083 CET	49835	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.149441957 CET	443	49835	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:50.149537086 CET	49836	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.149550915 CET	443	49836	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:50.151846886 CET	49837	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.151891947 CET	443	49837	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:50.157048941 CET	49837	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.157186985 CET	49837	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:50.157202005 CET	443	49837	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:50.214946985 CET	443	49829	35.201.103.21	192.168.2.7
Nov 25, 2024 12:08:50.215032101 CET	49829	443	192.168.2.7	35.201.103.21
Nov 25, 2024 12:08:50.219825983 CET	49829	443	192.168.2.7	35.201.103.21
Nov 25, 2024 12:08:50.219842911 CET	443	49829	35.201.103.21	192.168.2.7
Nov 25, 2024 12:08:50.219927073 CET	49829	443	192.168.2.7	35.201.103.21
Nov 25, 2024 12:08:50.219990969 CET	443	49829	35.201.103.21	192.168.2.7
Nov 25, 2024 12:08:50.220578909 CET	49829	443	192.168.2.7	35.201.103.21
Nov 25, 2024 12:08:50.224370956 CET	49838	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:50.224415064 CET	443	49838	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:50.224534035 CET	49838	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:50.224663019 CET	49838	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:50.224674940 CET	443	49838	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:50.329925060 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:50.333564043 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:50.371815920 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:50.453059912 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:50.657222033 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:50.703955889 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:51.407701969 CET	443	49836	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:51.407788038 CET	49836	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.410594940 CET	49836	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.410602093 CET	443	49836	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:51.410917997 CET	443	49836	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:51.413081884 CET	49836	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.413191080 CET	49836	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.413256884 CET	443	49836	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:51.413686037 CET	49836	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.415587902 CET	443	49837	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:51.417040110 CET	49837	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.419739962 CET	49837	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.419751883 CET	443	49837	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:51.419840097 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:51.420015097 CET	443	49837	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:51.422873020 CET	49837	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.422979116 CET	49837	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.423044920 CET	443	49837	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:51.423103094 CET	49837	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.451504946 CET	443	49835	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:51.451596022 CET	49835	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.454452038 CET	49835	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.454457998 CET	443	49835	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:51.454678059 CET	443	49835	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:51.456927061 CET	49835	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.457026958 CET	49835	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.457056999 CET	443	49835	35.244.181.201	192.168.2.7
Nov 25, 2024 12:08:51.459983110 CET	49835	443	192.168.2.7	35.244.181.201
Nov 25, 2024 12:08:51.488490105 CET	443	49838	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:51.488581896 CET	49838	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:51.491672039 CET	49838	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:51.491679907 CET	443	49838	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:51.492055893 CET	443	49838	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:51.494204044 CET	49838	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:51.494234085 CET	49838	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:51.494426966 CET	443	49838	34.149.100.209	192.168.2.7
Nov 25, 2024 12:08:51.495043039 CET	49838	443	192.168.2.7	34.149.100.209
Nov 25, 2024 12:08:51.539386034 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:51.743271112 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:51.746509075 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:51.791619062 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:08:51.866209984 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:52.070699930 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:08:52.123676062 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:00.654901028 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:00.774461031 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:00.988574982 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:00.996622086 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:01.034213066 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:01.116134882 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:01.321355104 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:01.366300106 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:06.612119913 CET	49875	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:06.612170935 CET	443	49875	34.107.243.93	192.168.2.7
Nov 25, 2024 12:09:06.612710953 CET	49875	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:06.614881039 CET	49875	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:06.614896059 CET	443	49875	34.107.243.93	192.168.2.7
Nov 25, 2024 12:09:07.871464968 CET	443	49875	34.107.243.93	192.168.2.7
Nov 25, 2024 12:09:07.871571064 CET	49875	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:07.876585007 CET	49875	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:07.876599073 CET	443	49875	34.107.243.93	192.168.2.7
Nov 25, 2024 12:09:07.876704931 CET	49875	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:07.876754999 CET	443	49875	34.107.243.93	192.168.2.7
Nov 25, 2024 12:09:07.876955032 CET	49875	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:07.879509926 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:07.998996973 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:08.203298092 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:08.206645966 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:08.255331993 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:08.326368093 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:08.530889034 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:08.571930885 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:18.216329098 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:18.337264061 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:18.532645941 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:18.652203083 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:19.630464077 CET	49907	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.630495071 CET	443	49907	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:19.630616903 CET	49908	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.630640984 CET	443	49908	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:19.630870104 CET	49910	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.630877972 CET	443	49910	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:19.630878925 CET	49909	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.630932093 CET	443	49909	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:19.631053925 CET	49911	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631062031 CET	443	49911	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:19.631135941 CET	49912	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631165981 CET	443	49912	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:19.631264925 CET	49907	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631294012 CET	49908	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631294012 CET	49910	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631321907 CET	49909	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631468058 CET	49907	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631469011 CET	49911	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631469965 CET	49912	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631483078 CET	443	49907	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:19.631573915 CET	49912	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631587982 CET	443	49912	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:19.631644011 CET	49911	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631658077 CET	443	49911	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:19.631699085 CET	49910	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631711960 CET	443	49910	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:19.631761074 CET	49909	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631771088 CET	443	49909	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:19.631823063 CET	49908	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:19.631833076 CET	443	49908	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.841911077 CET	443	49907	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.842056990 CET	49907	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.842441082 CET	443	49910	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.842538118 CET	49910	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.842827082 CET	443	49908	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.842892885 CET	49908	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.845609903 CET	49907	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.845623016 CET	443	49907	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.845838070 CET	443	49907	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.848125935 CET	49910	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.848131895 CET	443	49910	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.848419905 CET	443	49910	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.850332022 CET	49908	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.850336075 CET	443	49908	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.850545883 CET	443	49908	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.854219913 CET	49907	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.854361057 CET	49907	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.854398966 CET	443	49907	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.854912043 CET	49915	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.854960918 CET	443	49915	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.855037928 CET	49907	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.855057001 CET	49915	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.858088970 CET	49915	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.858109951 CET	443	49915	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.858776093 CET	49910	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.858890057 CET	49910	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.858977079 CET	443	49910	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.859369993 CET	49916	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.859406948 CET	443	49916	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.859781981 CET	49908	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.859889030 CET	49908	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.859903097 CET	443	49908	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.861778021 CET	49910	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.861826897 CET	49908	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.862000942 CET	49916	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.862001896 CET	49916	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.862036943 CET	443	49916	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.864608049 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:20.889353991 CET	443	49911	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.889499903 CET	49911	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.892661095 CET	49911	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.892672062 CET	443	49911	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.893086910 CET	443	49911	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.895278931 CET	49911	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.895378113 CET	49911	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.895487070 CET	443	49911	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.895849943 CET	49911	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.895868063 CET	49911	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.938371897 CET	443	49912	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.938385963 CET	443	49909	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.938468933 CET	49912	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.941060066 CET	49909	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.941739082 CET	49912	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.941746950 CET	443	49912	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.942086935 CET	443	49912	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.944314003 CET	49909	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.944340944 CET	443	49909	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.944610119 CET	443	49909	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.947792053 CET	49912	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.947911024 CET	49912	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.948030949 CET	443	49912	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.948240995 CET	49909	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.948307991 CET	49909	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.948409081 CET	443	49909	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:20.948960066 CET	49912	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.948968887 CET	49909	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:20.984270096 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:21.195636988 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:21.199362040 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:21.240595102 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:21.319421053 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:21.523865938 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:21.572693110 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:22.069025040 CET	443	49915	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:22.069161892 CET	49915	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:22.072791100 CET	49915	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:22.072804928 CET	443	49915	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:22.073004961 CET	443	49915	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:22.075654030 CET	49915	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:22.075783968 CET	49915	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:22.075792074 CET	443	49915	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:22.075802088 CET	443	49915	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:22.078763008 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:22.116846085 CET	443	49916	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:22.116913080 CET	49916	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:22.120362997 CET	49916	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:22.120378971 CET	443	49916	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:22.120584011 CET	443	49916	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:22.122770071 CET	49916	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:22.122879028 CET	443	49916	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:22.122905016 CET	49916	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:22.122910976 CET	443	49916	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:22.124100924 CET	49916	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:22.198321104 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:22.283340931 CET	443	49915	34.120.208.123	192.168.2.7
Nov 25, 2024 12:09:22.283401966 CET	49915	443	192.168.2.7	34.120.208.123
Nov 25, 2024 12:09:22.404768944 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:22.408004999 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:22.459736109 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:22.527662039 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:22.731856108 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:22.776402950 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:32.425964117 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:32.546204090 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:32.742513895 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:32.862091064 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:42.555109978 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:42.674602985 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:42.871635914 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:42.991134882 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:48.275770903 CET	49978	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:48.275820017 CET	443	49978	34.107.243.93	192.168.2.7
Nov 25, 2024 12:09:48.276134968 CET	49978	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:48.277733088 CET	49978	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:48.277748108 CET	443	49978	34.107.243.93	192.168.2.7
Nov 25, 2024 12:09:49.489893913 CET	443	49978	34.107.243.93	192.168.2.7
Nov 25, 2024 12:09:49.490083933 CET	49978	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:49.494817972 CET	49978	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:49.494831085 CET	443	49978	34.107.243.93	192.168.2.7
Nov 25, 2024 12:09:49.494934082 CET	49978	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:49.495007992 CET	443	49978	34.107.243.93	192.168.2.7
Nov 25, 2024 12:09:49.497598886 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:49.497940063 CET	49978	443	192.168.2.7	34.107.243.93
Nov 25, 2024 12:09:49.617063999 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:49.822411060 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:49.826026917 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:49.876096964 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:49.945580959 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:50.150276899 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:09:50.192589045 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:59.836390018 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:09:59.955982924 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:10:00.152790070 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:10:00.272380114 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:10:09.965643883 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:10:10.085153103 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:10:10.282140970 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:10:10.401710033 CET	80	49756	34.107.221.82	192.168.2.7
Nov 25, 2024 12:10:20.097816944 CET	49744	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:10:20.217304945 CET	80	49744	34.107.221.82	192.168.2.7
Nov 25, 2024 12:10:20.414305925 CET	49756	80	192.168.2.7	34.107.221.82
Nov 25, 2024 12:10:20.533927917 CET	80	49756	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 12:08:21.423351049 CET	50639	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:21.429044008 CET	56389	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:21.565295935 CET	50494	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:21.568121910 CET	53	56389	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:21.569191933 CET	63282	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:21.574084044 CET	57874	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:21.706280947 CET	53	50494	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:21.708755970 CET	53	63282	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:21.711635113 CET	53	57874	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:21.793996096 CET	62716	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:21.833424091 CET	51395	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:21.834192991 CET	65254	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:21.930828094 CET	53	62716	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:21.971992970 CET	53	51395	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:21.972198963 CET	53	65254	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:22.364835978 CET	62350	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:22.460913897 CET	53954	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:22.503703117 CET	53	62350	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:22.505769014 CET	64508	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:22.599364996 CET	53	53954	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:22.600840092 CET	52995	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:22.624228954 CET	52735	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:22.642774105 CET	53	64508	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:22.650069952 CET	64402	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:22.696995974 CET	57009	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:22.739634037 CET	53	52995	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:22.742074966 CET	58252	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:22.762918949 CET	53	52735	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:22.782762051 CET	52275	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:22.787853003 CET	53	64402	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:22.833897114 CET	53	57009	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:22.836008072 CET	54128	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:22.860682964 CET	63887	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:22.880579948 CET	53	58252	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:22.919807911 CET	53	52275	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:22.974042892 CET	53	54128	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:22.976922035 CET	64764	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:22.996521950 CET	60568	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:23.113971949 CET	53	64764	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:23.133589029 CET	53	60568	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:23.146275997 CET	57728	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:23.287766933 CET	53	57728	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:23.288496017 CET	53575	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:23.361294985 CET	53	52657	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:23.425292969 CET	53	53575	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:23.462683916 CET	55806	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:23.463089943 CET	55438	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:23.583585024 CET	61255	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:23.599360943 CET	53	55806	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:23.599781990 CET	53	55438	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:24.100727081 CET	60538	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:24.177181005 CET	61035	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:24.238893032 CET	53	60538	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:24.247687101 CET	63893	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:24.314371109 CET	53	61035	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:24.384646893 CET	53	63893	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:24.400633097 CET	62834	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:24.430039883 CET	56487	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:24.537714005 CET	53	62834	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:24.566786051 CET	53	56487	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:28.358949900 CET	56631	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:28.360095024 CET	54826	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:28.360413074 CET	60484	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:28.495805979 CET	53	56631	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:28.497071981 CET	53	54826	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:28.497783899 CET	53	60484	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:29.536556959 CET	53510	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:29.537338972 CET	56993	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:29.539388895 CET	56748	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:29.686031103 CET	53	56993	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:29.686047077 CET	53	53510	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:29.686099052 CET	53	56748	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:29.687135935 CET	60163	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:29.687135935 CET	56289	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:29.687566042 CET	55839	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:29.829315901 CET	53	55839	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:29.829334974 CET	53	56289	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:29.829459906 CET	53	60163	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:30.098645926 CET	49172	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:30.099181890 CET	58450	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:30.099351883 CET	52371	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:30.235874891 CET	53	49172	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:30.236309052 CET	53	58450	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:30.236712933 CET	53	52371	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:30.236821890 CET	49240	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:30.237215996 CET	51375	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:30.237543106 CET	50282	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:30.375473976 CET	53	50282	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:30.376147985 CET	53	49240	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:30.376240969 CET	52263	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:30.376784086 CET	56722	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:30.376954079 CET	53	51375	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:30.377362013 CET	53965	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:30.514692068 CET	53	56722	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:30.517184973 CET	53	52263	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:30.587150097 CET	53	53965	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:32.886410952 CET	53910	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:33.024240017 CET	53	53910	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:33.428265095 CET	63754	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:33.570540905 CET	53	63754	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:37.748550892 CET	52221	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:37.885818958 CET	53	52221	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:44.862941980 CET	60156	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:44.999644041 CET	53	60156	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:46.095247030 CET	58948	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:46.160861969 CET	59345	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:46.299158096 CET	53	59345	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:48.716506958 CET	60756	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:48.766019106 CET	53863	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:48.854758978 CET	53	60756	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:48.860105038 CET	54659	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:48.860518932 CET	50239	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:48.905035019 CET	53	53863	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:48.999509096 CET	53	54659	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:48.999521971 CET	53	50239	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:49.000437975 CET	58616	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:49.000437975 CET	64339	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:49.001431942 CET	58600	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:49.138514042 CET	53	58616	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:49.139302015 CET	53	58600	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:49.139724016 CET	53	64339	1.1.1.1	192.168.2.7
Nov 25, 2024 12:08:49.140227079 CET	60178	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:08:49.279241085 CET	53	60178	1.1.1.1	192.168.2.7
Nov 25, 2024 12:09:06.472311020 CET	55734	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:09:06.609559059 CET	53	55734	1.1.1.1	192.168.2.7
Nov 25, 2024 12:09:06.612622976 CET	58933	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:09:06.749741077 CET	53	58933	1.1.1.1	192.168.2.7
Nov 25, 2024 12:09:19.629286051 CET	52913	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:09:19.767214060 CET	53	52913	1.1.1.1	192.168.2.7
Nov 25, 2024 12:09:48.136419058 CET	64339	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:09:48.274693966 CET	53	64339	1.1.1.1	192.168.2.7
Nov 25, 2024 12:09:48.275949001 CET	65373	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:09:48.412772894 CET	53	65373	1.1.1.1	192.168.2.7
Nov 25, 2024 12:09:49.497896910 CET	55958	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:09:49.637382030 CET	55391	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:09:49.825552940 CET	61318	53	192.168.2.7	1.1.1.1
Nov 25, 2024 12:09:49.964006901 CET	49172	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 12:08:21.423351049 CET	192.168.2.7	1.1.1.1	0xbb13	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:21.429044008 CET	192.168.2.7	1.1.1.1	0x91a2	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:21.565295935 CET	192.168.2.7	1.1.1.1	0x2e84	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:21.569191933 CET	192.168.2.7	1.1.1.1	0xf97d	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:21.574084044 CET	192.168.2.7	1.1.1.1	0xc74c	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:21.793996096 CET	192.168.2.7	1.1.1.1	0xa56e	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 25, 2024 12:08:21.833424091 CET	192.168.2.7	1.1.1.1	0x9bd7	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 12:08:21.834192991 CET	192.168.2.7	1.1.1.1	0x6b1f	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 12:08:22.364835978 CET	192.168.2.7	1.1.1.1	0xe729	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.460913897 CET	192.168.2.7	1.1.1.1	0xd004	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.505769014 CET	192.168.2.7	1.1.1.1	0xd229	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.600840092 CET	192.168.2.7	1.1.1.1	0xb30d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.624228954 CET	192.168.2.7	1.1.1.1	0x9f6a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.650069952 CET	192.168.2.7	1.1.1.1	0x647c	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 12:08:22.696995974 CET	192.168.2.7	1.1.1.1	0xb3c8	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.742074966 CET	192.168.2.7	1.1.1.1	0xcde9	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 12:08:22.782762051 CET	192.168.2.7	1.1.1.1	0x3542	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 12:08:22.836008072 CET	192.168.2.7	1.1.1.1	0x95d2	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.860682964 CET	192.168.2.7	1.1.1.1	0xfdd7	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.976922035 CET	192.168.2.7	1.1.1.1	0xa737	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 12:08:22.996521950 CET	192.168.2.7	1.1.1.1	0x2c95	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:23.146275997 CET	192.168.2.7	1.1.1.1	0xad96	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:23.288496017 CET	192.168.2.7	1.1.1.1	0xa01b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 12:08:23.462683916 CET	192.168.2.7	1.1.1.1	0xfa73	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:23.463089943 CET	192.168.2.7	1.1.1.1	0x52c2	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:23.583585024 CET	192.168.2.7	1.1.1.1	0x9ed1	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:24.100727081 CET	192.168.2.7	1.1.1.1	0x6a07	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:24.177181005 CET	192.168.2.7	1.1.1.1	0x796	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:24.247687101 CET	192.168.2.7	1.1.1.1	0xfe9a	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:24.400633097 CET	192.168.2.7	1.1.1.1	0xfe78	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 12:08:24.430039883 CET	192.168.2.7	1.1.1.1	0xe03e	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 12:08:28.358949900 CET	192.168.2.7	1.1.1.1	0x2015	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.360095024 CET	192.168.2.7	1.1.1.1	0x8f08	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.360413074 CET	192.168.2.7	1.1.1.1	0xde92	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.536556959 CET	192.168.2.7	1.1.1.1	0x4128	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.537338972 CET	192.168.2.7	1.1.1.1	0xea24	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.539388895 CET	192.168.2.7	1.1.1.1	0x1e73	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.687135935 CET	192.168.2.7	1.1.1.1	0xd114	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 12:08:29.687135935 CET	192.168.2.7	1.1.1.1	0x326c	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 25, 2024 12:08:29.687566042 CET	192.168.2.7	1.1.1.1	0x2152	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 25, 2024 12:08:30.098645926 CET	192.168.2.7	1.1.1.1	0x7b3a	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.099181890 CET	192.168.2.7	1.1.1.1	0x5613	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.099351883 CET	192.168.2.7	1.1.1.1	0xc052	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.236821890 CET	192.168.2.7	1.1.1.1	0xfca7	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.237215996 CET	192.168.2.7	1.1.1.1	0xd879	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.237543106 CET	192.168.2.7	1.1.1.1	0x247c	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.376240969 CET	192.168.2.7	1.1.1.1	0x5f65	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 25, 2024 12:08:30.376784086 CET	192.168.2.7	1.1.1.1	0xa959	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 25, 2024 12:08:30.377362013 CET	192.168.2.7	1.1.1.1	0x16b5	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 25, 2024 12:08:32.886410952 CET	192.168.2.7	1.1.1.1	0x9c57	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 12:08:33.428265095 CET	192.168.2.7	1.1.1.1	0x2c7f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 12:08:37.748550892 CET	192.168.2.7	1.1.1.1	0xd22b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 12:08:44.862941980 CET	192.168.2.7	1.1.1.1	0xc55	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 12:08:46.095247030 CET	192.168.2.7	1.1.1.1	0x2adc	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:46.160861969 CET	192.168.2.7	1.1.1.1	0xab08	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.716506958 CET	192.168.2.7	1.1.1.1	0xdce6	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.766019106 CET	192.168.2.7	1.1.1.1	0x2fe2	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.860105038 CET	192.168.2.7	1.1.1.1	0xa511	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.860518932 CET	192.168.2.7	1.1.1.1	0x9fbd	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:49.000437975 CET	192.168.2.7	1.1.1.1	0x22e4	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 12:08:49.000437975 CET	192.168.2.7	1.1.1.1	0x1881	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 25, 2024 12:08:49.001431942 CET	192.168.2.7	1.1.1.1	0x6277	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:49.140227079 CET	192.168.2.7	1.1.1.1	0xe04a	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 12:09:06.472311020 CET	192.168.2.7	1.1.1.1	0xcd30	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:09:06.612622976 CET	192.168.2.7	1.1.1.1	0x7ccb	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 12:09:19.629286051 CET	192.168.2.7	1.1.1.1	0xc904	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 12:09:48.136419058 CET	192.168.2.7	1.1.1.1	0xb0d4	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:09:48.275949001 CET	192.168.2.7	1.1.1.1	0xc04a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 12:09:49.497896910 CET	192.168.2.7	1.1.1.1	0xc644	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:09:49.637382030 CET	192.168.2.7	1.1.1.1	0x6aca	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:09:49.825552940 CET	192.168.2.7	1.1.1.1	0x8268	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:09:49.964006901 CET	192.168.2.7	1.1.1.1	0x8626	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 12:08:12.634090900 CET	1.1.1.1	192.168.2.7	0xae84	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:12.634090900 CET	1.1.1.1	192.168.2.7	0xae84	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:21.559546947 CET	1.1.1.1	192.168.2.7	0xe8db	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:21.564145088 CET	1.1.1.1	192.168.2.7	0xbb13	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:21.564145088 CET	1.1.1.1	192.168.2.7	0xbb13	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:21.568121910 CET	1.1.1.1	192.168.2.7	0x91a2	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:21.706280947 CET	1.1.1.1	192.168.2.7	0x2e84	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:21.708755970 CET	1.1.1.1	192.168.2.7	0xf97d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:21.711635113 CET	1.1.1.1	192.168.2.7	0xc74c	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:21.930828094 CET	1.1.1.1	192.168.2.7	0xa56e	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 25, 2024 12:08:21.972198963 CET	1.1.1.1	192.168.2.7	0x6b1f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 25, 2024 12:08:22.503703117 CET	1.1.1.1	192.168.2.7	0xe729	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.599364996 CET	1.1.1.1	192.168.2.7	0xd004	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:22.599364996 CET	1.1.1.1	192.168.2.7	0xd004	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.622873068 CET	1.1.1.1	192.168.2.7	0xe393	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:22.622873068 CET	1.1.1.1	192.168.2.7	0xe393	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.642774105 CET	1.1.1.1	192.168.2.7	0xd229	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.739634037 CET	1.1.1.1	192.168.2.7	0xb30d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.762918949 CET	1.1.1.1	192.168.2.7	0x9f6a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.833897114 CET	1.1.1.1	192.168.2.7	0xb3c8	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:22.833897114 CET	1.1.1.1	192.168.2.7	0xb3c8	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:22.833897114 CET	1.1.1.1	192.168.2.7	0xb3c8	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:22.974042892 CET	1.1.1.1	192.168.2.7	0x95d2	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:23.076930046 CET	1.1.1.1	192.168.2.7	0xfdd7	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:23.113971949 CET	1.1.1.1	192.168.2.7	0xa737	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 25, 2024 12:08:23.133589029 CET	1.1.1.1	192.168.2.7	0x2c95	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:23.287766933 CET	1.1.1.1	192.168.2.7	0xad96	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:23.599360943 CET	1.1.1.1	192.168.2.7	0xfa73	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:23.599781990 CET	1.1.1.1	192.168.2.7	0x52c2	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:23.599781990 CET	1.1.1.1	192.168.2.7	0x52c2	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:23.725307941 CET	1.1.1.1	192.168.2.7	0x9ed1	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:23.725307941 CET	1.1.1.1	192.168.2.7	0x9ed1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:24.170826912 CET	1.1.1.1	192.168.2.7	0x9075	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:24.238893032 CET	1.1.1.1	192.168.2.7	0x6a07	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:24.238893032 CET	1.1.1.1	192.168.2.7	0x6a07	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:24.314371109 CET	1.1.1.1	192.168.2.7	0x796	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:24.338181019 CET	1.1.1.1	192.168.2.7	0xe6b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:24.338181019 CET	1.1.1.1	192.168.2.7	0xe6b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:24.384646893 CET	1.1.1.1	192.168.2.7	0xfe9a	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:25.978414059 CET	1.1.1.1	192.168.2.7	0x4f5e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.495805979 CET	1.1.1.1	192.168.2.7	0x2015	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:28.495805979 CET	1.1.1.1	192.168.2.7	0x2015	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:28.495805979 CET	1.1.1.1	192.168.2.7	0x2015	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497071981 CET	1.1.1.1	192.168.2.7	0x8f08	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497071981 CET	1.1.1.1	192.168.2.7	0x8f08	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497071981 CET	1.1.1.1	192.168.2.7	0x8f08	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497071981 CET	1.1.1.1	192.168.2.7	0x8f08	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497071981 CET	1.1.1.1	192.168.2.7	0x8f08	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497071981 CET	1.1.1.1	192.168.2.7	0x8f08	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497071981 CET	1.1.1.1	192.168.2.7	0x8f08	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497071981 CET	1.1.1.1	192.168.2.7	0x8f08	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497071981 CET	1.1.1.1	192.168.2.7	0x8f08	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497071981 CET	1.1.1.1	192.168.2.7	0x8f08	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497071981 CET	1.1.1.1	192.168.2.7	0x8f08	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497071981 CET	1.1.1.1	192.168.2.7	0x8f08	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497783899 CET	1.1.1.1	192.168.2.7	0xde92	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:28.497783899 CET	1.1.1.1	192.168.2.7	0xde92	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.686031103 CET	1.1.1.1	192.168.2.7	0xea24	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.686031103 CET	1.1.1.1	192.168.2.7	0xea24	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.686031103 CET	1.1.1.1	192.168.2.7	0xea24	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.686031103 CET	1.1.1.1	192.168.2.7	0xea24	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.686031103 CET	1.1.1.1	192.168.2.7	0xea24	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.686031103 CET	1.1.1.1	192.168.2.7	0xea24	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.686031103 CET	1.1.1.1	192.168.2.7	0xea24	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.686031103 CET	1.1.1.1	192.168.2.7	0xea24	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.686031103 CET	1.1.1.1	192.168.2.7	0xea24	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.686047077 CET	1.1.1.1	192.168.2.7	0x4128	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.686099052 CET	1.1.1.1	192.168.2.7	0x1e73	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:29.829315901 CET	1.1.1.1	192.168.2.7	0x2152	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 25, 2024 12:08:29.829334974 CET	1.1.1.1	192.168.2.7	0x326c	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 12:08:29.829334974 CET	1.1.1.1	192.168.2.7	0x326c	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 12:08:29.829334974 CET	1.1.1.1	192.168.2.7	0x326c	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 12:08:29.829334974 CET	1.1.1.1	192.168.2.7	0x326c	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 12:08:30.235874891 CET	1.1.1.1	192.168.2.7	0x7b3a	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:30.235874891 CET	1.1.1.1	192.168.2.7	0x7b3a	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.236309052 CET	1.1.1.1	192.168.2.7	0x5613	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:30.236309052 CET	1.1.1.1	192.168.2.7	0x5613	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.236309052 CET	1.1.1.1	192.168.2.7	0x5613	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.236309052 CET	1.1.1.1	192.168.2.7	0x5613	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.236309052 CET	1.1.1.1	192.168.2.7	0x5613	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.236712933 CET	1.1.1.1	192.168.2.7	0xc052	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.236712933 CET	1.1.1.1	192.168.2.7	0xc052	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.236712933 CET	1.1.1.1	192.168.2.7	0xc052	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.236712933 CET	1.1.1.1	192.168.2.7	0xc052	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.375473976 CET	1.1.1.1	192.168.2.7	0x247c	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.376147985 CET	1.1.1.1	192.168.2.7	0xfca7	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.376954079 CET	1.1.1.1	192.168.2.7	0xd879	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.376954079 CET	1.1.1.1	192.168.2.7	0xd879	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.376954079 CET	1.1.1.1	192.168.2.7	0xd879	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.376954079 CET	1.1.1.1	192.168.2.7	0xd879	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:30.514692068 CET	1.1.1.1	192.168.2.7	0xa959	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 25, 2024 12:08:46.234543085 CET	1.1.1.1	192.168.2.7	0x2adc	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:46.234543085 CET	1.1.1.1	192.168.2.7	0x2adc	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:46.299158096 CET	1.1.1.1	192.168.2.7	0xab08	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:46.299158096 CET	1.1.1.1	192.168.2.7	0xab08	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:46.299158096 CET	1.1.1.1	192.168.2.7	0xab08	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:46.299158096 CET	1.1.1.1	192.168.2.7	0xab08	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.852600098 CET	1.1.1.1	192.168.2.7	0x4409	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:48.852600098 CET	1.1.1.1	192.168.2.7	0x4409	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.854758978 CET	1.1.1.1	192.168.2.7	0xdce6	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.854758978 CET	1.1.1.1	192.168.2.7	0xdce6	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.854758978 CET	1.1.1.1	192.168.2.7	0xdce6	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.854758978 CET	1.1.1.1	192.168.2.7	0xdce6	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.905035019 CET	1.1.1.1	192.168.2.7	0x2fe2	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:48.905035019 CET	1.1.1.1	192.168.2.7	0x2fe2	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.999509096 CET	1.1.1.1	192.168.2.7	0xa511	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.999509096 CET	1.1.1.1	192.168.2.7	0xa511	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.999509096 CET	1.1.1.1	192.168.2.7	0xa511	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.999509096 CET	1.1.1.1	192.168.2.7	0xa511	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:48.999521971 CET	1.1.1.1	192.168.2.7	0x9fbd	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:49.139302015 CET	1.1.1.1	192.168.2.7	0x6277	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:08:49.139724016 CET	1.1.1.1	192.168.2.7	0x1881	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 12:08:49.139724016 CET	1.1.1.1	192.168.2.7	0x1881	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 12:08:49.139724016 CET	1.1.1.1	192.168.2.7	0x1881	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 12:08:49.139724016 CET	1.1.1.1	192.168.2.7	0x1881	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 12:08:52.262499094 CET	1.1.1.1	192.168.2.7	0x5997	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:08:52.262499094 CET	1.1.1.1	192.168.2.7	0x5997	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:09:06.609559059 CET	1.1.1.1	192.168.2.7	0xcd30	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:09:19.625658989 CET	1.1.1.1	192.168.2.7	0x6c78	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:09:48.274693966 CET	1.1.1.1	192.168.2.7	0xb0d4	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:09:49.636296988 CET	1.1.1.1	192.168.2.7	0xc644	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:09:49.636296988 CET	1.1.1.1	192.168.2.7	0xc644	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:09:49.774775982 CET	1.1.1.1	192.168.2.7	0x6aca	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:09:49.774775982 CET	1.1.1.1	192.168.2.7	0x6aca	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:09:49.962589979 CET	1.1.1.1	192.168.2.7	0x8268	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:09:49.962589979 CET	1.1.1.1	192.168.2.7	0x8268	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 12:09:50.101782084 CET	1.1.1.1	192.168.2.7	0x8626	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 12:09:50.101782084 CET	1.1.1.1	192.168.2.7	0x8626	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49727	34.107.221.82	80	3964	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 12:08:22.274524927 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:08:23.454226971 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 11:49:30 GMT Age: 83933 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49741	34.107.221.82	80	3964	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 12:08:23.847964048 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:08:24.987986088 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 19:39:57 GMT Age: 55707 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49744	34.107.221.82	80	3964	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 12:08:24.169478893 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:08:25.299971104 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62458 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:08:25.838449955 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:08:26.162136078 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62458 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:08:28.372807980 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:08:28.696614027 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62461 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:08:35.362279892 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:08:35.685925961 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62468 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:08:37.745421886 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:08:38.069216013 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62470 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:08:39.016521931 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:08:39.340137005 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62472 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:08:40.289973021 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:08:40.613419056 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62473 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:08:46.095519066 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:08:46.419229031 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62479 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:08:50.006443977 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:08:50.329925060 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62483 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:08:51.419840097 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:08:51.743271112 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62484 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:09:00.654901028 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:09:00.988574982 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62493 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:09:07.879509926 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:09:08.203298092 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62501 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:09:18.216329098 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 12:09:20.864608049 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:09:21.195636988 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62514 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:09:22.078763008 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:09:22.404768944 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62515 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:09:32.425964117 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 12:09:42.555109978 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 12:09:49.497598886 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 12:09:49.822411060 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 62542 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 12:09:59.836390018 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 12:10:09.965643883 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 12:10:20.097816944 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49753	34.107.221.82	80	3964	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 12:08:25.959336042 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49756	34.107.221.82	80	3964	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 12:08:26.475500107 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:08:27.516973972 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28469 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:08:32.886545897 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:08:33.209945917 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28475 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:08:35.984371901 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:08:36.308846951 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28478 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:08:38.072760105 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:08:38.397123098 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28480 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:08:39.343708992 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:08:39.667908907 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28481 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:08:40.617324114 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:08:40.940624952 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28482 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:08:46.424304962 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:08:46.748804092 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28488 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:08:50.333564043 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:08:50.657222033 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28492 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:08:51.746509075 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:08:52.070699930 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28493 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:09:00.996622086 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:09:01.321355104 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28503 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:09:08.206645966 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:09:08.530889034 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28510 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:09:18.532645941 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 12:09:21.199362040 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:09:21.523865938 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28523 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:09:22.408004999 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:09:22.731856108 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28524 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:09:32.742513895 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 12:09:42.871635914 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 12:09:49.826026917 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 12:09:50.150276899 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 28551 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 12:10:00.152790070 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 12:10:10.282140970 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 12:10:20.414305925 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	06:08:13
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xa60000
File size:	921'600 bytes
MD5 hash:	088BF96F7F07F9D38D2DEEB897B64873
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:08:13
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xc80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:08:13
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:08:16
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xc80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:08:16
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:08:16
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x7ff75da10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:08:16
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:08:16
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x600000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:08:16
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:08:16
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xc80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:08:16
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:08:16
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:08:17
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:08:17
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	06:08:18
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23394519-5634-4e38-af03-29850acb4b80} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 23d3be6e510 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	06:08:19
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -parentBuildID 20230927232528 -prefsHandle 3648 -prefMapHandle 2912 -prefsLen 26151 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e42fb9f8-7b06-4a0a-8703-7e638740022d} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 23d3be7a710 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	06:08:23
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4920 -prefMapHandle 4916 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32652d90-4854-4b87-9fab-293d8e7df5cd} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 23d4e207510 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1595
Total number of Limit Nodes:	59

Executed Functions

Function 00A642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A6430D

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

GetCurrentProcess.KERNEL32(?,00AFCB64,00000000,?,?), ref: 00A64422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00A64429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00A64454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A64466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00A64474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00A6447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00A644A0

Strings

kernel32.dll, xrefs: 00A6444F
|O, xrefs: 00AA36F8
GetNativeSystemInfo, xrefs: 00A64460

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: ec0dd7e4b4983a3de6471d9d377a44ae2d25a2add3470354f17d60be71c546b0
Instruction ID: ac2d61619880775557ab0654de09a1d83ba8137f3f124a2d58e61f8f7594bcc1
Opcode Fuzzy Hash: ec0dd7e4b4983a3de6471d9d377a44ae2d25a2add3470354f17d60be71c546b0
Instruction Fuzzy Hash: 96A1737690A2C4FFCB11C7AD7D451AD7FBC6B2A740B389C99E08197B62DE304509CB29

Function 00A642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A650AA,?,?,00000000,00000000), ref: 00A642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A650AA,?,?,00000000,00000000), ref: 00A642C9
LoadResource.KERNEL32(?,00000000,?,?,00A650AA,?,?,00000000,00000000,?,?,?,?,?,?,00A64F20), ref: 00AA35BE
SizeofResource.KERNEL32(?,00000000,?,?,00A650AA,?,?,00000000,00000000,?,?,?,?,?,?,00A64F20), ref: 00AA35D3
LockResource.KERNEL32(00A650AA,?,?,00A650AA,?,?,00000000,00000000,?,?,?,?,?,?,00A64F20,?), ref: 00AA35E6

Strings

SCRIPT, xrefs: 00A642BF

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f6a3d57c7fbbcfb71fca9398c82700b85e196c52d47d417864db1f75741b7608
Instruction ID: a3b59b40d4de0dccb5200e3d64d9cb3e1c23dc6df6e2f7d887c2de846c1e14b5
Opcode Fuzzy Hash: f6a3d57c7fbbcfb71fca9398c82700b85e196c52d47d417864db1f75741b7608
Instruction Fuzzy Hash: 19117C71200705BFDB219BAADD58FA77BB9EBC9B61F204169F402D6290DB71DC11C660

Function 00AA2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00A62B6B

Part of subcall function 00A63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B31418,?,00A62E7F,?,?,?,00000000), ref: 00A63A78

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00B22224), ref: 00AA2C10
ShellExecuteW.SHELL32(00000000,?,?,00B22224), ref: 00AA2C17

Strings

runas, xrefs: 00AA2C0B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 08568bd3d6e657fd8ab0548175d66d7365233a5679550f357aa31c8b92b6e598
Instruction ID: ff067cf112bae475ff7875f91b378c2fb390b67c76d4bd62c5153ca24dc62bb3
Opcode Fuzzy Hash: 08568bd3d6e657fd8ab0548175d66d7365233a5679550f357aa31c8b92b6e598
Instruction Fuzzy Hash: CA11E932208345AACB14FFA4DA51ABEB7F8DF91350F04082DF186571A2CF31894BD712

Function 00ACD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00ACD501
Process32FirstW.KERNEL32(00000000,?), ref: 00ACD50F
Process32NextW.KERNEL32(00000000,?), ref: 00ACD52F
CloseHandle.KERNELBASE(00000000), ref: 00ACD5DC

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 4ac64651c0c8d95fb6af003167c751a3db741f4305f5f0f2fcc209b4b70a0fc6
Instruction ID: 9d34dd65d6a3e6ce467bba4d65186720b6ea78cb59507cb0762a7a4cd29d981f
Opcode Fuzzy Hash: 4ac64651c0c8d95fb6af003167c751a3db741f4305f5f0f2fcc209b4b70a0fc6
Instruction Fuzzy Hash: 44317C721082049FD300EFA4C985EAFBBF8AF99354F14092DF585961A1EB719949CBA2

Function 00ACDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00AA5222), ref: 00ACDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00ACDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00ACDBEE
FindClose.KERNEL32(00000000), ref: 00ACDBFA

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d6d06b0cf5cbb0fcd4d7c9db0ff3a43d4fe56e966e10d2ed8298c9814cd84d2c
Instruction ID: 469a6193c3f055f418d3cef693c7ecd1d4bae6b1757f0bc221bbbea574c89e9e
Opcode Fuzzy Hash: d6d06b0cf5cbb0fcd4d7c9db0ff3a43d4fe56e966e10d2ed8298c9814cd84d2c
Instruction Fuzzy Hash: C2F0A03081891867C220ABF8AE0D9BA376C9E01334B10471AF836C20E0EBB06956C695

Function 00A84CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00A928E9,?,00A84CBE,00A928E9,00B288B8,0000000C,00A84E15,00A928E9,00000002,00000000,?,00A928E9), ref: 00A84D09
TerminateProcess.KERNEL32(00000000,?,00A84CBE,00A928E9,00B288B8,0000000C,00A84E15,00A928E9,00000002,00000000,?,00A928E9), ref: 00A84D10
ExitProcess.KERNEL32 ref: 00A84D22

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bf356d2ae5624eca8bd191c48078eb10c86359d958d354d7e032a4365af7d3dd
Instruction ID: 5d4298c4998bf2103a4d20d88ec91abae648fbdb003cc443ca95d14ca7f160f7
Opcode Fuzzy Hash: bf356d2ae5624eca8bd191c48078eb10c86359d958d354d7e032a4365af7d3dd
Instruction Fuzzy Hash: 4CE0B631000149AFCF12BF95DE09A69BB69EB45791B104114FD458A122CB35ED52DB80

Function 00AEAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00AEB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AEB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AEB1D4
_wcslen.LIBCMT ref: 00AEB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AEB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AEB236
_wcslen.LIBCMT ref: 00AEB332

Part of subcall function 00AD05A7: GetStdHandle.KERNEL32(000000F6), ref: 00AD05C6

_wcslen.LIBCMT ref: 00AEB34B
_wcslen.LIBCMT ref: 00AEB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AEB3B6
GetLastError.KERNEL32(00000000), ref: 00AEB407
CloseHandle.KERNEL32(?), ref: 00AEB439
CloseHandle.KERNEL32(00000000), ref: 00AEB44A
CloseHandle.KERNEL32(00000000), ref: 00AEB45C
CloseHandle.KERNEL32(00000000), ref: 00AEB46E
CloseHandle.KERNEL32(?), ref: 00AEB4E3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 9665f7688418f9d2b07df19c0a0594077cb7f821121fe01ca8d378c030916790
Instruction ID: ff73564d02f13747a463f0452e86984849b57a6f559ef825d7c4fe878f3a7804
Opcode Fuzzy Hash: 9665f7688418f9d2b07df19c0a0594077cb7f821121fe01ca8d378c030916790
Instruction Fuzzy Hash: 86F1BD316183409FC714EF25C995B6FBBE1AF85314F14855DF89A8B2A2DB30EC40CB62

Function 00A6D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A6D807
timeGetTime.WINMM ref: 00A6DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A6DB28
TranslateMessage.USER32(?), ref: 00A6DB7B
DispatchMessageW.USER32(?), ref: 00A6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A6DB9F
Sleep.KERNELBASE(0000000A), ref: 00A6DBB1

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: e2ca0e1420b8389cd3c18e62c4b6248b0038bbf5b6176efde7045113b31ed1d6
Instruction ID: 271edbd46a245874c5dc82946e56256e31baed53470b7a364e9936a6f6554887
Opcode Fuzzy Hash: e2ca0e1420b8389cd3c18e62c4b6248b0038bbf5b6176efde7045113b31ed1d6
Instruction Fuzzy Hash: BA42C071B08241EFD728CF24C994BAABBF4FF55354F148A1EE4558B292DB70E844CB92

Function 00A62CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A62D07
RegisterClassExW.USER32(00000030), ref: 00A62D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A62D42
InitCommonControlsEx.COMCTL32(?), ref: 00A62D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A62D6F
LoadIconW.USER32(000000A9), ref: 00A62D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A62D94

Strings

+, xrefs: 00A62CF0
0, xrefs: 00A62CE9
TaskbarCreated, xrefs: 00A62D37
AutoIt v3 GUI, xrefs: 00A62D23

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d380c1ff7c57473ff10d71f563dfae55e0764c985e45a6f69027871c63a139d3
Instruction ID: d52e585a75e0a5a3b976af4d099789c45e4d9bae997347de4d51bf9baaa12195
Opcode Fuzzy Hash: d380c1ff7c57473ff10d71f563dfae55e0764c985e45a6f69027871c63a139d3
Instruction Fuzzy Hash: D321D3B190120CAFDB00DFE9ED49BADBBB8FB08710F10851AF611A72A0DBB11545CF94

Function 00AA065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA039A: CreateFileW.KERNELBASE(00000000,00000000,?,00AA0704,?,?,00000000,?,00AA0704,00000000,0000000C), ref: 00AA03B7

GetLastError.KERNEL32 ref: 00AA076F
__dosmaperr.LIBCMT ref: 00AA0776
GetFileType.KERNELBASE(00000000), ref: 00AA0782
GetLastError.KERNEL32 ref: 00AA078C
__dosmaperr.LIBCMT ref: 00AA0795
CloseHandle.KERNEL32(00000000), ref: 00AA07B5
CloseHandle.KERNEL32(?), ref: 00AA08FF
GetLastError.KERNEL32 ref: 00AA0931
__dosmaperr.LIBCMT ref: 00AA0938

Strings

H, xrefs: 00AA08BD

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: cd69f4cfb4eff2207b3c84c0a907b34edc01e8d57476429902000ae206f0f639
Instruction ID: adf1fa96ec9919dc4e27319d821e61bebeb7fd880c6ba4c9e8289b57cedd405b
Opcode Fuzzy Hash: cd69f4cfb4eff2207b3c84c0a907b34edc01e8d57476429902000ae206f0f639
Instruction Fuzzy Hash: 9BA10332A141098FDF19EFA8D952BAE7BA0AB0A324F240159F815DF2D1DB359912CB91

Function 00A6344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B31418,?,00A62E7F,?,?,?,00000000), ref: 00A63A78

Part of subcall function 00A63357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A63379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A6356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AA318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AA31CE
RegCloseKey.ADVAPI32(?), ref: 00AA3210
_wcslen.LIBCMT ref: 00AA3277
_wcslen.LIBCMT ref: 00AA3286

Strings

\, xrefs: 00AA328C
\Include\, xrefs: 00A63527
Software\AutoIt v3\AutoIt, xrefs: 00A63560
Include, xrefs: 00AA3184, 00AA31C5

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: e9912dd307ff35167d3679b34d2aa45f0c1b7ccb818a7247f44453f0bbb15238
Instruction ID: 0174ae2483b397f5b64528cf5561bd7a2e1f439edfb44fa84f2b310a9d0274cc
Opcode Fuzzy Hash: e9912dd307ff35167d3679b34d2aa45f0c1b7ccb818a7247f44453f0bbb15238
Instruction Fuzzy Hash: 3B71A0724043059EC714EF65ED829AFBBF8FF95350F60482EF545832A0EB309A49CB56

Function 00A62B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A62B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00A62B9D
LoadIconW.USER32(00000063), ref: 00A62BB3
LoadIconW.USER32(000000A4), ref: 00A62BC5
LoadIconW.USER32(000000A2), ref: 00A62BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A62BEF
RegisterClassExW.USER32(?), ref: 00A62C40

Part of subcall function 00A62CD4: GetSysColorBrush.USER32(0000000F), ref: 00A62D07
Part of subcall function 00A62CD4: RegisterClassExW.USER32(00000030), ref: 00A62D31
Part of subcall function 00A62CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A62D42
Part of subcall function 00A62CD4: InitCommonControlsEx.COMCTL32(?), ref: 00A62D5F
Part of subcall function 00A62CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A62D6F
Part of subcall function 00A62CD4: LoadIconW.USER32(000000A9), ref: 00A62D85
Part of subcall function 00A62CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A62D94

Strings

#, xrefs: 00A62C16
AutoIt v3, xrefs: 00A62C2F
0, xrefs: 00A62C0F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2ac3447c0a784f73a223b88839ae16c483bba4cfa919e8edd095d9787663cf6a
Instruction ID: d3f8dbe11f01d59ddf8e02c2dd58989f685889ffc133cad25b8fcf55ca7e6ebe
Opcode Fuzzy Hash: 2ac3447c0a784f73a223b88839ae16c483bba4cfa919e8edd095d9787663cf6a
Instruction Fuzzy Hash: 0E211A71E00318BBDB10DFEAED55AAD7FB8FB48B50F20041AE600A76A0DBB11545CF98

Function 00A63170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00A6316A,?,?), ref: 00A631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00A6316A,?,?), ref: 00A63204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A63227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00A6316A,?,?), ref: 00A63232
CreatePopupMenu.USER32 ref: 00A63246
PostQuitMessage.USER32(00000000), ref: 00A63267

Strings

TaskbarCreated, xrefs: 00A6322D

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f95d6461b8b7e9e97af090cc531ff638e7a17357f7a5d3caad4ce3677921a49c
Instruction ID: 6303787f31e0023439a5b03af7aadb6c40761a02fa885e4d4be28f6352cc1de7
Opcode Fuzzy Hash: f95d6461b8b7e9e97af090cc531ff638e7a17357f7a5d3caad4ce3677921a49c
Instruction Fuzzy Hash: 49411533240204BBDF146BBC9E59BBD3A7DEB16350F240625F602C72A1DB619A53D7A1

Function 00A61410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A61459
CoUninitialize.COMBASE ref: 00A614F8
UnregisterHotKey.USER32(?), ref: 00A616DD
DestroyWindow.USER32(?), ref: 00AA24B9
FreeLibrary.KERNEL32(?), ref: 00AA251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AA254B

Strings

close all, xrefs: 00A61454

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d7f319a32acd4672a015096155def1286af6a9f65f6d1bf633d59c1bfeb7ab04
Instruction ID: 8068f94a5bac4e7a71666a6796ad6e05d36db604ae6de887ecd575445398e0c1
Opcode Fuzzy Hash: d7f319a32acd4672a015096155def1286af6a9f65f6d1bf633d59c1bfeb7ab04
Instruction Fuzzy Hash: F1D15E31701212CFCB29EF59CA95B69FBB4BF05710F1881ADE54A6B291DB30AD22CF51

Function 00A62C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A62C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A62CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A61CAD,?), ref: 00A62CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A61CAD,?), ref: 00A62CCF

Strings

AutoIt v3, xrefs: 00A62C89, 00A62C8E, 00A62C8F
edit, xrefs: 00A62CAC

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3a822f58431b9ef4e02bcf6fc95cd8d94a7fd6ed92432d257ed68ff6cb93e161
Instruction ID: 8d96d388f8fa9722da5f20fb5350e8cdf4a8919f5c6cf5136cf833f5d19bde3b
Opcode Fuzzy Hash: 3a822f58431b9ef4e02bcf6fc95cd8d94a7fd6ed92432d257ed68ff6cb93e161
Instruction Fuzzy Hash: 2CF05E755402987AEB30575BAC48EBB3EBDD7C6F60F20041EFA00A35A0DA711845DEB8

Function 00A63B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00A63B0F,SwapMouseButtons,00000004,?), ref: 00A63B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00A63B0F,SwapMouseButtons,00000004,?), ref: 00A63B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00A63B0F,SwapMouseButtons,00000004,?), ref: 00A63B83

Strings

Control Panel\Mouse, xrefs: 00A63B3E

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: c914e66230d06960b2ddcbb5bf8e53c1090ef2a9d4a52069c5c5047b89777a78
Instruction ID: 40903382d1b3f12ec8fcee382c05f943ad42dd81935f15e7e97a692f7e5f904c
Opcode Fuzzy Hash: c914e66230d06960b2ddcbb5bf8e53c1090ef2a9d4a52069c5c5047b89777a78
Instruction Fuzzy Hash: 38115AB2510208FFDF20CFA5DC44EEEB7B8EF01750B104459A802D7110E6319E429760

Function 00A63923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AA33A2

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A63A04

Strings

Line: , xrefs: 00AA33EB

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: ea1476c6be2478431a7059c96b76c3e4616fa78c521bd26251920d13646ea415
Instruction ID: 95767c2d5e9f3e37054e9dd258424d3f0f7b2ad30e227f7388dfe6c7cddcae70
Opcode Fuzzy Hash: ea1476c6be2478431a7059c96b76c3e4616fa78c521bd26251920d13646ea415
Instruction Fuzzy Hash: AA31C172408304AACB21EB64DC45BEFB7FCAB44710F10492AF59A971D1DF709A4ACBD6

Function 00A7FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00A80668

Part of subcall function 00A832A4: RaiseException.KERNEL32(?,?,?,00A8068A,?,00B31444,?,?,?,?,?,?,00A8068A,00A61129,00B28738,00A61129), ref: 00A83304

__CxxThrowException@8.LIBVCRUNTIME ref: 00A80685

Strings

Unknown exception, xrefs: 00A80692

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 99d26dd178e17261de3c81457d42c9a17742af1c228529429014e0591496e997
Instruction ID: c0f3dae27660ace50b7df93ed98a059f894531e7e4dfa92f7ecd2b8107f67b7c
Opcode Fuzzy Hash: 99d26dd178e17261de3c81457d42c9a17742af1c228529429014e0591496e997
Instruction Fuzzy Hash: E2F0C23490020DBB8F14B7A4ED46D9E77AC5E00754B60C571B928D65A2FF71DB2AC790

Function 00A610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A61BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A61BF4
Part of subcall function 00A61BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A61BFC
Part of subcall function 00A61BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A61C07
Part of subcall function 00A61BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A61C12
Part of subcall function 00A61BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A61C1A
Part of subcall function 00A61BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A61C22

Part of subcall function 00A61B4A: RegisterWindowMessageW.USER32(00000004,?,00A612C4), ref: 00A61BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A6136A
OleInitialize.OLE32 ref: 00A61388
CloseHandle.KERNEL32(00000000,00000000), ref: 00AA24AB

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 19ce2e032814bc62c04ba8770774cf5c62b6f99f146b8b105f3ff15f8a0aa723
Instruction ID: 0df350b256ee2f8fe969942be71a7d03655c2bc4e935594e4f835566bca56b58
Opcode Fuzzy Hash: 19ce2e032814bc62c04ba8770774cf5c62b6f99f146b8b105f3ff15f8a0aa723
Instruction Fuzzy Hash: C371ACB69012048FC384DFBEAA4566D3AECFBA83547368E2AE54AC7361EF304405CF54

Function 00ACC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A63923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A63A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00ACC259
KillTimer.USER32(?,00000001,?,?), ref: 00ACC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00ACC270

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 997cabfd0003b20f0d6760f694688885ed90cac7b44ba56c0d4a94bc6dcebc0d
Instruction ID: 27b71435d959590426b3a2d4bee453bb4651903eb5b74cb9c1286f5bf2d003bc
Opcode Fuzzy Hash: 997cabfd0003b20f0d6760f694688885ed90cac7b44ba56c0d4a94bc6dcebc0d
Instruction Fuzzy Hash: 7531C370904344AFEB32EFA48895BEBBBFCAB06314F04049ED1DE97241C7745A85CB51

Function 00A986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00A985CC,?,00B28CC8,0000000C), ref: 00A98704
GetLastError.KERNEL32(?,00A985CC,?,00B28CC8,0000000C), ref: 00A9870E
__dosmaperr.LIBCMT ref: 00A98739

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 37647f6045172e6ade2b282b9ff08cfc885a20636c0c6c5af9b712be9c33b833
Instruction ID: 4ad9ea9b74d8b72defdd28b776013622ff932cd3d95433cfbd25a5c0117d29f3
Opcode Fuzzy Hash: 37647f6045172e6ade2b282b9ff08cfc885a20636c0c6c5af9b712be9c33b833
Instruction Fuzzy Hash: 8C012B33B0562016DE256374A946B7F77D94B93774F390219FA148F1D2DEA88C81D290

Function 00A6DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00A6DB7B
DispatchMessageW.USER32(?), ref: 00A6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A6DB9F
Sleep.KERNELBASE(0000000A), ref: 00A6DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00AB1CC9

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: ba7681a859d8ea2118a7cb86a06661422f05b5ea1a079a4785dea9c81ef1195a
Instruction ID: e1edbb06cd939c1ab25fcf551afaaec4a918deb6ef0ded331a328e904885c73b
Opcode Fuzzy Hash: ba7681a859d8ea2118a7cb86a06661422f05b5ea1a079a4785dea9c81ef1195a
Instruction Fuzzy Hash: 37F05E316443449BE730DBE18D59FEA77BCEB45350F508919E61A830D0DB30A449CB25

Function 00A71310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A717F6

Strings

CALL, xrefs: 00A717C6

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e7a194bc51d4dc1726eae51f6468bd289d15d92281a03b9eb75055fdb8be4b44
Instruction ID: c31fd2bde1276cbbd5b4ae8dde68a1072bef9d2e5c3d293bd32957cceb0dac80
Opcode Fuzzy Hash: e7a194bc51d4dc1726eae51f6468bd289d15d92281a03b9eb75055fdb8be4b44
Instruction Fuzzy Hash: 93228B706083019FC714DF18C990A6ABBF5BF85314F24C96DF49A8B362D735E945CB92

Function 00A62DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00AA2C8C

Part of subcall function 00A63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A63A97,?,?,00A62E7F,?,?,?,00000000), ref: 00A63AC2

Part of subcall function 00A62DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A62DC4

Strings

X, xrefs: 00AA2C5A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: ae408379b0e6056e05b5697a10fa8e0489a614c723a7827a22b05f6d2a0a872c
Instruction ID: 844161401ef214e17979a7ff7faedfeb31c0ecb40bea06ba1ed29a80c27c84eb
Opcode Fuzzy Hash: ae408379b0e6056e05b5697a10fa8e0489a614c723a7827a22b05f6d2a0a872c
Instruction Fuzzy Hash: 8E21A571A00298AFDF01EF94D945BEE7BFCAF49314F008059E405A7281DBB45A898F61

Function 00A63837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A63908

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 24ac3b3b0c1ac73a526ed2059e12a9de6a9ec6e2b237ed1c8412fe000de7379f
Instruction ID: 230c8338ded9af4f42e318b4f2d24ee6d769aa4a47f1f81f2c2646950bcc6e90
Opcode Fuzzy Hash: 24ac3b3b0c1ac73a526ed2059e12a9de6a9ec6e2b237ed1c8412fe000de7379f
Instruction Fuzzy Hash: AC31C3725043009FDB20DF68D9847EBBBF8FB49708F10092EF59A87240E771AA44CB52

Function 00A7F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A7F661

Part of subcall function 00A6D730: GetInputState.USER32 ref: 00A6D807

Sleep.KERNEL32(00000000), ref: 00ABF2DE

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 609ff21c247913e81673e78c4063b8d3c6f1c49f91cf5c90e7bf22d79dc33335
Instruction ID: 512485403d713da4b409bc2272a510b519a1468cb019ec7cb68d15e911d37a7b
Opcode Fuzzy Hash: 609ff21c247913e81673e78c4063b8d3c6f1c49f91cf5c90e7bf22d79dc33335
Instruction Fuzzy Hash: 3DF08C312402059FD310EFAADA49BAAB7F8EF45761F004029E85AC7361EB70A840CBA1

Function 00A64ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A64E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A64EDD,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64E9C
Part of subcall function 00A64E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A64EAE
Part of subcall function 00A64E90: FreeLibrary.KERNEL32(00000000,?,?,00A64EDD,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64EFD

Part of subcall function 00A64E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AA3CDE,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64E62
Part of subcall function 00A64E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A64E74
Part of subcall function 00A64E59: FreeLibrary.KERNEL32(00000000,?,?,00AA3CDE,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64E87

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ba6f325466851fe759dc177e1d4f6df7e4b6bb7300c3ee9c8555776311e24783
Instruction ID: 7a72d0877b2b40838a2afdb2d5ccedbf4f4528454830caddc99b34d31e571900
Opcode Fuzzy Hash: ba6f325466851fe759dc177e1d4f6df7e4b6bb7300c3ee9c8555776311e24783
Instruction Fuzzy Hash: 7C11C132600205AACF19FFA0DE02BAD77B5AF48B10F20842AF542A61C1EE719A059790

Function 00A98402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00A98440

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 0f2f7502fd105f1ef4511b671e165d29417c38bdb83ff1411aab9e699ed646d1
Instruction ID: 9854cf5e5ddc31859e510b3dd0b322a557903a0e9802789fe7923ab843b0728e
Opcode Fuzzy Hash: 0f2f7502fd105f1ef4511b671e165d29417c38bdb83ff1411aab9e699ed646d1
Instruction Fuzzy Hash: 68111875A0410AAFCF05DF58E94199F7BF5EF49314F104069F808AB312DB31DA11CBA5

Function 00A95000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A94C7D: RtlAllocateHeap.NTDLL(00000008,00A61129,00000000,?,00A92E29,00000001,00000364,?,?,?,00A8F2DE,00A93863,00B31444,?,00A7FDF5,?), ref: 00A94CBE

_free.LIBCMT ref: 00A9506C

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 8d560a8f9dff3b4cf10bbee5f8261c03d677efe1b66d764ea1a8637f7e0b6098
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: D4012B727047056FEB228F65D842A5AFBE8FB89370F25062DE18483280EA306905C7B4

Function 00A8E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: e3e47c8d38f33b2c10e512962fac5f14c57b8a01d6f29e9dc1e43deb94b4094d
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 9AF02832611A14EADB317B798E05B5A37D89F52330F140735F424931E2EB74D80287A5

Function 00A94C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00A61129,00000000,?,00A92E29,00000001,00000364,?,?,?,00A8F2DE,00A93863,00B31444,?,00A7FDF5,?), ref: 00A94CBE

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0721d551544c47a245161ca3950a62ba6d65be694ab98cc6b3b4b6ea311ff07d
Instruction ID: e4600583404380c1e31f280997053fe40eb9e3b18660df5784a5753ad8ae4330
Opcode Fuzzy Hash: 0721d551544c47a245161ca3950a62ba6d65be694ab98cc6b3b4b6ea311ff07d
Instruction Fuzzy Hash: 23F0B4317062256EDF216F629D05F9A37D8BF497A1B144615B815A6180CA30D80286A0

Function 00A93820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00B31444,?,00A7FDF5,?,?,00A6A976,00000010,00B31440,00A613FC,?,00A613C6,?,00A61129), ref: 00A93852

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 30f230cdccce149d3797b423df3b75487228658d12fbb3b6450e67e29a7a8657
Instruction ID: 83667e8243840168bad00af0c5747b4923d2fb0fdb7921a32d5336129902d5e9
Opcode Fuzzy Hash: 30f230cdccce149d3797b423df3b75487228658d12fbb3b6450e67e29a7a8657
Instruction Fuzzy Hash: D2E0E53730222566DF213BBB9D04BDA36FDAF427B0F158161BC0592880DB20DD0192E0

Function 00A64F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64F6D

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9e67088e6e2ac1558a13387307e78b42da1a2eb6bbeb123f14e62280a9200b3a
Instruction ID: b9b22990f1f138102a19f365280c8295c1d2b349f228e4f8dda3f5a1f34872d1
Opcode Fuzzy Hash: 9e67088e6e2ac1558a13387307e78b42da1a2eb6bbeb123f14e62280a9200b3a
Instruction Fuzzy Hash: D4F06571105751CFDB389F64D590822B7F5FF187293108A7EE2DA83511C7319844DF10

Function 00AF2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00AF2A66

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: e8bd98d26bba7e73bbbb47a4015a5a30da8d9adb458f7a029d2025f7fbf533c5
Instruction ID: cab9e0f3d16e400b79149264364ef4de7b59b6d0facfb7d187fdecaca2c997b7
Opcode Fuzzy Hash: e8bd98d26bba7e73bbbb47a4015a5a30da8d9adb458f7a029d2025f7fbf533c5
Instruction Fuzzy Hash: 30E04F3635411AAAC754FBB0ED90AFA735CEF543D5710453ABD16C2100DB309995D7A0

Function 00A630F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A6314E

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: de0853dafa6a30aab9395f22764347f776e0a17e58943c8f16f9c2e1e68d0de9
Instruction ID: c333593eb573378cafbbca9f5ba30ac63e81baed6c21a298eef9d8799df1f168
Opcode Fuzzy Hash: de0853dafa6a30aab9395f22764347f776e0a17e58943c8f16f9c2e1e68d0de9
Instruction Fuzzy Hash: D6F0A770900308AFEB52DB64DC497D97BFCA701708F1000E5A24897181DB705788CF45

Function 00A62DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A62DC4

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: d1f7c19cd88cf9a73f731ca28da454a79847dab904de9a803d22e4ac8832cb34
Instruction ID: 0da6483f700aed7279d82d3d203b83163c7d1cf8388d017854393c2e188e990a
Opcode Fuzzy Hash: d1f7c19cd88cf9a73f731ca28da454a79847dab904de9a803d22e4ac8832cb34
Instruction Fuzzy Hash: 22E0CD766001246BC710E6989D05FEA77EDDFC87A0F044075FD09D7248DA60AD80C550

Function 00A62B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A63837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A63908

Part of subcall function 00A6D730: GetInputState.USER32 ref: 00A6D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00A62B6B

Part of subcall function 00A630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A6314E

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 0eda54107faf5aa6b2d706f4f99d3f42614c02a199ffd39f6601211381ca21b6
Instruction ID: ea6e8a2ccaa7b099e2b70dc7e91244244a733df0724fbb049cd9ee71ab575f00
Opcode Fuzzy Hash: 0eda54107faf5aa6b2d706f4f99d3f42614c02a199ffd39f6601211381ca21b6
Instruction Fuzzy Hash: E1E0862370424446CA08BBB5AA525BDF77DDBD1351F40197EF542472A2CE24454A8752

Function 00AA039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00AA0704,?,?,00000000,?,00AA0704,00000000,0000000C), ref: 00AA03B7

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e2510d6aad34120af45f6ffd873e26614fbe0ec0ae5cd19f764c32793acaa9b0
Instruction ID: 8970399b88a83cd1dfbfed21cd7d900b9f75f57846c2e469ae6846090164f749
Opcode Fuzzy Hash: e2510d6aad34120af45f6ffd873e26614fbe0ec0ae5cd19f764c32793acaa9b0
Instruction Fuzzy Hash: 57D06C3204010DBBDF028F85DD06EDA3BAAFB48714F014100BE1856020C732E832EB94

Function 00A61CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00A61CBC

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b3e4529c24abfa4e1f279954add9d9da9af00378cb56d8658f343b1b33df9be7
Instruction ID: ce4841248f3b7b0d8ced3a5fd94177afc0ff67ec4bd86f9af130b36dcda57d73
Opcode Fuzzy Hash: b3e4529c24abfa4e1f279954add9d9da9af00378cb56d8658f343b1b33df9be7
Instruction Fuzzy Hash: ECC092362C0308AFF3148BC4BD4BF287768A358B11F248401F609AB5E3CBA22824EA54

Non-executed Functions

Function 00AF9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00AF961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AF965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00AF969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AF96C9
SendMessageW.USER32 ref: 00AF96F2
GetKeyState.USER32(00000011), ref: 00AF978B
GetKeyState.USER32(00000009), ref: 00AF9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AF97AE
GetKeyState.USER32(00000010), ref: 00AF97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AF97E9
SendMessageW.USER32 ref: 00AF9810
SendMessageW.USER32(?,00001030,?,00AF7E95), ref: 00AF9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00AF992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00AF9941
SetCapture.USER32(?), ref: 00AF994A
ClientToScreen.USER32(?,?), ref: 00AF99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00AF99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AF99D6
ReleaseCapture.USER32 ref: 00AF99E1
GetCursorPos.USER32(?), ref: 00AF9A19
ScreenToClient.USER32(?,?), ref: 00AF9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00AF9A80
SendMessageW.USER32 ref: 00AF9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00AF9AEB
SendMessageW.USER32 ref: 00AF9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00AF9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00AF9B4A
GetCursorPos.USER32(?), ref: 00AF9B68
ScreenToClient.USER32(?,?), ref: 00AF9B75
GetParent.USER32(?), ref: 00AF9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00AF9BFA
SendMessageW.USER32 ref: 00AF9C2B
ClientToScreen.USER32(?,?), ref: 00AF9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00AF9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00AF9CDE
SendMessageW.USER32 ref: 00AF9D01
ClientToScreen.USER32(?,?), ref: 00AF9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00AF9D82

Part of subcall function 00A79944: GetWindowLongW.USER32(?,000000EB), ref: 00A79952

GetWindowLongW.USER32(?,000000F0), ref: 00AF9E05

Strings

@GUI_DRAGID, xrefs: 00AF997D
F, xrefs: 00AF9D07

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 39bc5ce1f2c769ddc204a77e275c331bca755b384a07763c4c609dcae4393824
Instruction ID: a3443fe4d4dcd9717c69bd5feecd39608714b22d67c73c2fed432a2548aafa21
Opcode Fuzzy Hash: 39bc5ce1f2c769ddc204a77e275c331bca755b384a07763c4c609dcae4393824
Instruction Fuzzy Hash: 71427B34208209AFD724DFA8CD44BBBBBE9FF48720F144A19F699C72A1D731A855CB51

Function 00AF4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00AF48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00AF4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00AF4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00AF494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00AF495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00AF497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00AF49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00AF49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00AF4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00AF4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00AF4A7E
IsMenu.USER32(?), ref: 00AF4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AF4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AF4B20
GetWindowLongW.USER32(?,000000F0), ref: 00AF4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00AF4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00AF4C82
wsprintfW.USER32 ref: 00AF4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AF4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00AF4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AF4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AF4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00AF4D5A

Strings

%d/%02d/%02d, xrefs: 00AF4CA8

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 91392d78878d8c76da0bdaf36cce536642a40415cfb320b78f6d5be0f125c857
Instruction ID: 200da1e1fb4a3e0f20b250424447d98d2d35f85e37a1259bf7582cdc8c316a79
Opcode Fuzzy Hash: 91392d78878d8c76da0bdaf36cce536642a40415cfb320b78f6d5be0f125c857
Instruction Fuzzy Hash: C712D071600218ABEB248FA9CD49FBF7BF8EF49750F104119F61ADB2A1DB789941CB50

Function 00A7F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00A7F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ABF474
IsIconic.USER32(00000000), ref: 00ABF47D
ShowWindow.USER32(00000000,00000009), ref: 00ABF48A
SetForegroundWindow.USER32(00000000), ref: 00ABF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ABF4AA
GetCurrentThreadId.KERNEL32 ref: 00ABF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ABF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ABF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ABF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00ABF4DE
SetForegroundWindow.USER32(00000000), ref: 00ABF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ABF4F6
keybd_event.USER32(00000012,00000000), ref: 00ABF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ABF50B
keybd_event.USER32(00000012,00000000), ref: 00ABF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ABF519
keybd_event.USER32(00000012,00000000), ref: 00ABF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ABF528
keybd_event.USER32(00000012,00000000), ref: 00ABF52D
SetForegroundWindow.USER32(00000000), ref: 00ABF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00ABF557

Strings

Shell_TrayWnd, xrefs: 00ABF46F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9c1f12f6996d5ddbb1274a8d64dd58684c4b9c4b52445cea6172f64b1227be0a
Instruction ID: 833fc57ae147926d2bbea2fa07a2e04525b543c33e896061f5a7f8394f542d31
Opcode Fuzzy Hash: 9c1f12f6996d5ddbb1274a8d64dd58684c4b9c4b52445cea6172f64b1227be0a
Instruction Fuzzy Hash: 57314171A8021CBFEB20ABF65D4AFBF7E6CEB44B60F140065FA05E61D1C6B15D01EA60

Function 00AC1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00AC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AC170D
Part of subcall function 00AC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AC173A
Part of subcall function 00AC16C3: GetLastError.KERNEL32 ref: 00AC174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00AC1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00AC12A8
CloseHandle.KERNEL32(?), ref: 00AC12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AC12D1
GetProcessWindowStation.USER32 ref: 00AC12EA
SetProcessWindowStation.USER32(00000000), ref: 00AC12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AC1310

Part of subcall function 00AC10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AC11FC), ref: 00AC10D4
Part of subcall function 00AC10BF: CloseHandle.KERNEL32(?,?,00AC11FC), ref: 00AC10E9

Strings

, xrefs: 00AC125A
winsta0, xrefs: 00AC12CC
default, xrefs: 00AC130B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 8ad3148a992e382ca1d9830e6c4c9b22350cb7a7c5ddf02e951ac3644e82b250
Instruction ID: cf6c655ef8cedf563fb7f21662b8fd1720df070c324ab6745dc1971948f457bd
Opcode Fuzzy Hash: 8ad3148a992e382ca1d9830e6c4c9b22350cb7a7c5ddf02e951ac3644e82b250
Instruction Fuzzy Hash: 32819AB1A00209AFDF25DFE4DE49FEE7BB9EF05704F154169F911A61A2DB308945CB20

Function 00AC0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AC1114
Part of subcall function 00AC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC1120
Part of subcall function 00AC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC112F
Part of subcall function 00AC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC1136
Part of subcall function 00AC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AC0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AC0C00
GetLengthSid.ADVAPI32(?), ref: 00AC0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00AC0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AC0C6D
GetLengthSid.ADVAPI32(?), ref: 00AC0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00AC0C8C
HeapAlloc.KERNEL32(00000000), ref: 00AC0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AC0CB4
CopySid.ADVAPI32(00000000), ref: 00AC0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AC0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AC0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AC0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC0D45
HeapFree.KERNEL32(00000000), ref: 00AC0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC0D55
HeapFree.KERNEL32(00000000), ref: 00AC0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC0D65
HeapFree.KERNEL32(00000000), ref: 00AC0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00AC0D78
HeapFree.KERNEL32(00000000), ref: 00AC0D7F

Part of subcall function 00AC1193: GetProcessHeap.KERNEL32(00000008,00AC0BB1,?,00000000,?,00AC0BB1,?), ref: 00AC11A1
Part of subcall function 00AC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00AC0BB1,?), ref: 00AC11A8
Part of subcall function 00AC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00AC0BB1,?), ref: 00AC11B7

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9032fd0cf0d9aa44e8ed9fdb3eaa323431c2ce139ecae0817636bcd045db0644
Instruction ID: 28b3b71c53d5f33929660862861e235127fa86979e089d9d72424363faaac5d2
Opcode Fuzzy Hash: 9032fd0cf0d9aa44e8ed9fdb3eaa323431c2ce139ecae0817636bcd045db0644
Instruction Fuzzy Hash: E871AAB290021AEBDF11DFE5DD44FAEBBB8BF04710F054219E905E7191DB70AA06CBA0

Function 00ADEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00AFCC08), ref: 00ADEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00ADEB37
GetClipboardData.USER32(0000000D), ref: 00ADEB43
CloseClipboard.USER32 ref: 00ADEB4F
GlobalLock.KERNEL32(00000000), ref: 00ADEB87
CloseClipboard.USER32 ref: 00ADEB91
GlobalUnlock.KERNEL32(00000000), ref: 00ADEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00ADEBC9
GetClipboardData.USER32(00000001), ref: 00ADEBD1
GlobalLock.KERNEL32(00000000), ref: 00ADEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00ADEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00ADEC38
GetClipboardData.USER32(0000000F), ref: 00ADEC44
GlobalLock.KERNEL32(00000000), ref: 00ADEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00ADEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00ADEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00ADECD2
GlobalUnlock.KERNEL32(00000000), ref: 00ADECF3
CountClipboardFormats.USER32 ref: 00ADED14
CloseClipboard.USER32 ref: 00ADED59

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: f85d906ad3511797b99ca7d531ed1e9ef3cc633e97d1b5ef975a5d368968d235
Instruction ID: d1b3afc1c00e1c3b53114eb1640f24f18ea611f2f6f303e4f5b445de6393d3cd
Opcode Fuzzy Hash: f85d906ad3511797b99ca7d531ed1e9ef3cc633e97d1b5ef975a5d368968d235
Instruction Fuzzy Hash: 1061AF352042059FD300EFA5DA88F7AB7B8AF84714F14451AF4969B3A1CB31ED46CB62

Function 00AD698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AD69BE
FindClose.KERNEL32(00000000), ref: 00AD6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AD6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AD6A75

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00AD6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00AD6ADF

Strings

%4d, xrefs: 00AD6BB1
%03d, xrefs: 00AD6DA2
%02d, xrefs: 00AD6C00, 00AD6C0A, 00AD6C5A, 00AD6CAA, 00AD6CFA, 00AD6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00AD6B32
%4d%02d%02d%02d%02d%02d, xrefs: 00AD6B6A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c7d1070527a4ef7696221d8a09519c42d3ac02774ea99716abe71133a1a6455c
Instruction ID: 852c73745969711b13c6fd7858c4df1a053641248b2120088e565d996e7898ff
Opcode Fuzzy Hash: c7d1070527a4ef7696221d8a09519c42d3ac02774ea99716abe71133a1a6455c
Instruction Fuzzy Hash: A4D130B1508340AFC710EBA4CA81EABB7FCAF98704F44491EF589D7291EB74DA44C762

Function 00AD9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00AD9663
GetFileAttributesW.KERNEL32(?), ref: 00AD96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00AD96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00AD96D3
FindClose.KERNEL32(00000000), ref: 00AD96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00AD96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD974A
SetCurrentDirectoryW.KERNEL32(00B26B7C), ref: 00AD9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AD9772
FindClose.KERNEL32(00000000), ref: 00AD977F
FindClose.KERNEL32(00000000), ref: 00AD978F

Strings

*.*, xrefs: 00AD96F5

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: ddf421a541e58389caad3e20d764f0abd22076406b5e41d3b9e1adcffa0070a7
Instruction ID: c8bfc92d979844f79508f9a3a5b90e663a78ccedda32ab034dd2b8406ecabed6
Opcode Fuzzy Hash: ddf421a541e58389caad3e20d764f0abd22076406b5e41d3b9e1adcffa0070a7
Instruction Fuzzy Hash: 0831BF3294061D6ADB14EFF5ED09AEF77ACAF09320F104196F816E22A0EB34D945CB10

Function 00AD979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00AD97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00AD9819
FindClose.KERNEL32(00000000), ref: 00AD9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00AD9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD9890
SetCurrentDirectoryW.KERNEL32(00B26B7C), ref: 00AD98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AD98B8
FindClose.KERNEL32(00000000), ref: 00AD98C5
FindClose.KERNEL32(00000000), ref: 00AD98D5

Part of subcall function 00ACDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00ACDB00

Strings

*.*, xrefs: 00AD983B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 680b1db8104e7f5b9cc7a64fc17cf6731c456e0ff977463146d31cfc22cb6087
Instruction ID: 70f210777eca835a54de75cc46c57807489dff749ffe28bbf57764d2269debea
Opcode Fuzzy Hash: 680b1db8104e7f5b9cc7a64fc17cf6731c456e0ff977463146d31cfc22cb6087
Instruction Fuzzy Hash: AC31E33254061D7EDF14EFF5EC49AEF77ACAF06720F104156E815A22A0EB30D945DB60

Function 00AEBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEB6AE,?,?), ref: 00AEC9B5
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AEC9F1
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA68
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AEBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00AEBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00AEBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00AEC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00AEC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00AEC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00AEC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00AEC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00AEC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AEC382
RegCloseKey.ADVAPI32(00000000), ref: 00AEC38F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 8e0fe8e7681a077dad84374d591304501c907ab6c4d66e0ad3169d0da0a38b95
Instruction ID: a3575d3ee76b8085fb5c897a9b19710dcebe408de7e9e0521aa3a2503e802aae
Opcode Fuzzy Hash: 8e0fe8e7681a077dad84374d591304501c907ab6c4d66e0ad3169d0da0a38b95
Instruction Fuzzy Hash: CD025C71604240AFC714DF29C995E2ABBF5EF49318F18849DF84ACB2A2DB31ED46CB51

Function 00AD8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00AD8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00AD8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AD8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AD8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AD838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8395

Strings

*.*, xrefs: 00AD839B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 7aa94b93c05654d0a35b848cc02a84230be848faad902e030e4530335040c6ad
Instruction ID: 3fa025eba2fe66f912fe257bff8a6318ee0abeac9416f7d24589f65b1814fbb0
Opcode Fuzzy Hash: 7aa94b93c05654d0a35b848cc02a84230be848faad902e030e4530335040c6ad
Instruction Fuzzy Hash: 136158725043459FCB10EF64C9409AEB3F8FF89324F04891EF99A87251EB35E945CB92

Function 00ACD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A63A97,?,?,00A62E7F,?,?,?,00000000), ref: 00A63AC2

Part of subcall function 00ACE199: GetFileAttributesW.KERNEL32(?,00ACCF95), ref: 00ACE19A

FindFirstFileW.KERNEL32(?,?), ref: 00ACD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00ACD1DD
MoveFileW.KERNEL32(?,?), ref: 00ACD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00ACD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ACD237

Part of subcall function 00ACD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00ACD21C,?,?), ref: 00ACD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00ACD253
FindClose.KERNEL32(00000000), ref: 00ACD264

Strings

\*.*, xrefs: 00ACD0CD, 00ACD0D6, 00ACD0EB

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: b9bcec3f70346d550fdb74421d187d75b8a49600e7438dbcab01e8cb191c719f
Instruction ID: c7699ce28102c486b76af9420c758a79f905270cdca2912717a49f2e4e69d1cc
Opcode Fuzzy Hash: b9bcec3f70346d550fdb74421d187d75b8a49600e7438dbcab01e8cb191c719f
Instruction Fuzzy Hash: E0612D3180110DAACF15EBE0DB52EEEB7B9AF65300F254169E40677191EB319F0ADB61

Function 00ADED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00ADED91
EmptyClipboard.USER32 ref: 00ADED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00ADEDAC
CloseClipboard.USER32 ref: 00ADEEA3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 950bfa97991d6b36ae08adc017ff24a446b3d7b49aeddf042fdd604fdd5b688c
Instruction ID: 88e32cdf24ae0db6bfbab867138414ace20ccf6a18726a9e356a3bdb90626fea
Opcode Fuzzy Hash: 950bfa97991d6b36ae08adc017ff24a446b3d7b49aeddf042fdd604fdd5b688c
Instruction Fuzzy Hash: 0A41BF35204611AFD320EF95D988B29BBE5FF44328F14C09AE4568F762CB75ED42CB90

Function 00ACE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AC170D
Part of subcall function 00AC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AC173A
Part of subcall function 00AC16C3: GetLastError.KERNEL32 ref: 00AC174A

ExitWindowsEx.USER32(?,00000000), ref: 00ACE932

Strings

SeShutdownPrivilege, xrefs: 00ACE902
, xrefs: 00ACE95C
@, xrefs: 00ACE925
, xrefs: 00ACE920

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 78006378b297b7e91e8e4e79cf7d1b4315b21f78948cbbe1e3bb665598c7c56f
Instruction ID: df54962dcbd53f389e3b0c94e64575f3c123734ab3840ad18f6e0572bb701216
Opcode Fuzzy Hash: 78006378b297b7e91e8e4e79cf7d1b4315b21f78948cbbe1e3bb665598c7c56f
Instruction Fuzzy Hash: 64012632610214ABEB54A3F99D86FBFF26CA704750F160529F812E21D2D9B05C408290

Function 00AE1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00AE1276
WSAGetLastError.WSOCK32 ref: 00AE1283
bind.WSOCK32(00000000,?,00000010), ref: 00AE12BA
WSAGetLastError.WSOCK32 ref: 00AE12C5
closesocket.WSOCK32(00000000), ref: 00AE12F4
listen.WSOCK32(00000000,00000005), ref: 00AE1303
WSAGetLastError.WSOCK32 ref: 00AE130D
closesocket.WSOCK32(00000000), ref: 00AE133C

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: cd44bf4bed2eb14c2998f290282364f50721a2453ce4162ea4486b990f7ec98b
Instruction ID: 42e4427d4d15c7b7087c15ec110e8fcae420c3705320b6ae34efc3b04eca5c9e
Opcode Fuzzy Hash: cd44bf4bed2eb14c2998f290282364f50721a2453ce4162ea4486b990f7ec98b
Instruction Fuzzy Hash: A041B3316002519FD710DFA5C988B69BBF5BF46328F188198E9569F2D2C771EC82CBE1

Function 00A9B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A9B9D4
_free.LIBCMT ref: 00A9B9F8
_free.LIBCMT ref: 00A9BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B03700), ref: 00A9BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00B3121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00A9BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00B31270,000000FF,?,0000003F,00000000,?), ref: 00A9BC36
_free.LIBCMT ref: 00A9BD4B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 10dd498d53a75709ef08965262f3ed06c0de55c2e4a2ca689a3fd02c6f837b29
Instruction ID: 35a5e39a5d507a5a7b6b5e8d375eba123df5530f0c7e24c6438a7b5d5c44261b
Opcode Fuzzy Hash: 10dd498d53a75709ef08965262f3ed06c0de55c2e4a2ca689a3fd02c6f837b29
Instruction Fuzzy Hash: 9CC12671B14208AFDF20DF69AE41BAE7BF9EF45350F24459AE494DB291EB308E41C760

Function 00ACD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A63A97,?,?,00A62E7F,?,?,?,00000000), ref: 00A63AC2

Part of subcall function 00ACE199: GetFileAttributesW.KERNEL32(?,00ACCF95), ref: 00ACE19A

FindFirstFileW.KERNEL32(?,?), ref: 00ACD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00ACD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ACD481
FindClose.KERNEL32(00000000), ref: 00ACD498
FindClose.KERNEL32(00000000), ref: 00ACD4A1

Strings

\*.*, xrefs: 00ACD3F2

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: b01e98c027ff1c1c3fac1c84b0207a0e944a6468f123a5b80c9a54cc8e4bb437
Instruction ID: 618cf8c2a097cbb4b1a4cc42fb3cdfb8d8429efb46388a90ae0273615207e7af
Opcode Fuzzy Hash: b01e98c027ff1c1c3fac1c84b0207a0e944a6468f123a5b80c9a54cc8e4bb437
Instruction Fuzzy Hash: 303160720083459BC304EFA4DA919AFB7F8AEA1314F444A2DF5D593191EB30AA09DB63

Function 00A9E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00A9E645

Strings

1#INF, xrefs: 00A9F852
1#SNAN, xrefs: 00A9F844
1#IND, xrefs: 00A9F83D
1#QNAN, xrefs: 00A9F84B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7ca5f97cf274a5a8e67c6318a01d0ede093fae622bb7d6963993909cee5eabea
Instruction ID: b4765a5745aeb1c159e5be0b64f1beed66bbc2e2beb36aa79f0fd109694ca412
Opcode Fuzzy Hash: 7ca5f97cf274a5a8e67c6318a01d0ede093fae622bb7d6963993909cee5eabea
Instruction Fuzzy Hash: E3C20572E086288FDF25CF289D407AAB7F5EB48315F1541EAD84DE7241E779AE818F40

Function 00AD648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AD64DC
CoInitialize.OLE32(00000000), ref: 00AD6639
CoCreateInstance.OLE32(00AFFCF8,00000000,00000001,00AFFB68,?), ref: 00AD6650
CoUninitialize.OLE32 ref: 00AD68D4

Strings

.lnk, xrefs: 00AD64BA, 00AD6524, 00AD65E0

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 8729577ee629d2a3f37d83454832b196f1298f8e3a3b1bdf2bb61aa7591de2c3
Instruction ID: ff80b8dd43e1095395df7d3cab6e09341d9f3a53a05e458c3e2751673466adb9
Opcode Fuzzy Hash: 8729577ee629d2a3f37d83454832b196f1298f8e3a3b1bdf2bb61aa7591de2c3
Instruction Fuzzy Hash: F4D13971508301AFC304EF64C981A6BB7F8FF98704F10496DF5968B2A1EB71E945CBA2

Function 00AE22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00AE22E8

Part of subcall function 00ADE4EC: GetWindowRect.USER32(?,?), ref: 00ADE504

GetDesktopWindow.USER32 ref: 00AE2312
GetWindowRect.USER32(00000000), ref: 00AE2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00AE2355
GetCursorPos.USER32(?), ref: 00AE2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00AE23DF

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 4b2a5b7c5a11f6c29b80b214483427695541361d03aca65c943c0a662c90776b
Instruction ID: d77a61569c15e88bf6cbe4e81dc28048c9c68a8efd0d030f01d63dbe35adb939
Opcode Fuzzy Hash: 4b2a5b7c5a11f6c29b80b214483427695541361d03aca65c943c0a662c90776b
Instruction Fuzzy Hash: 7831CF72504356ABC720DF96C945F6BB7AEFF84710F000919F9859B181DB34E909CB92

Function 00AD9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00AD9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00AD9C8B

Part of subcall function 00AD3874: GetInputState.USER32 ref: 00AD38CB
Part of subcall function 00AD3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AD3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00AD9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00AD9C75

Strings

*.*, xrefs: 00AD9B5D

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: db5b1bf1c5b82e9468365f2377e81c22544a66e9d27f680f9d93787b0a19a596
Instruction ID: 751f0ef9dff28015fad4c3d214bdc0dcbf6561dd1ad8925a66beffc45e3cbb3f
Opcode Fuzzy Hash: db5b1bf1c5b82e9468365f2377e81c22544a66e9d27f680f9d93787b0a19a596
Instruction Fuzzy Hash: DE41517190420AAFCF54DFA4CA49AEFBBB8EF05310F144156E816A72A1EB30DE45DF61

Function 00A7997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A79A4E
GetSysColor.USER32(0000000F), ref: 00A79B23
SetBkColor.GDI32(?,00000000), ref: 00A79B36

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 60707af267198312de4dae69c89218e4ed57470f2ce93d27acb457d2aa2583f6
Instruction ID: 8df097d06d52ec221599227b574955142154234688607fbd95d4ffe3a23e136f
Opcode Fuzzy Hash: 60707af267198312de4dae69c89218e4ed57470f2ce93d27acb457d2aa2583f6
Instruction Fuzzy Hash: FCA13A70109404AEE724EB7C8D58EBF36ADDBC2380F25C21BF10AC6696CE659D42D376

Function 00AE1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE304E: inet_addr.WSOCK32(?), ref: 00AE307A
Part of subcall function 00AE304E: _wcslen.LIBCMT ref: 00AE309B

socket.WSOCK32(00000002,00000002,00000011), ref: 00AE185D
WSAGetLastError.WSOCK32 ref: 00AE1884
bind.WSOCK32(00000000,?,00000010), ref: 00AE18DB
WSAGetLastError.WSOCK32 ref: 00AE18E6
closesocket.WSOCK32(00000000), ref: 00AE1915

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: a14f48867185410a299a061054f2222a3c32abddd8d0444924fdd693c7a5c334
Instruction ID: 0cec0cebc0a2a8ee656344c7ce9d8c76f4c5251b731aa5762bc69d42556a436a
Opcode Fuzzy Hash: a14f48867185410a299a061054f2222a3c32abddd8d0444924fdd693c7a5c334
Instruction Fuzzy Hash: 1D51AF71A00210AFDB10EF65C986F6A77E5AB44718F088498F94A9F3D3D771AD42CBE1

Function 00AF1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00AF1CC0
IsWindowEnabled.USER32 ref: 00AF1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00AF1CDB
IsIconic.USER32 ref: 00AF1CE9
IsZoomed.USER32 ref: 00AF1CF7

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 03b41c95b1081b04b38eed546b44b8b9e088d20e55cf5291e6a733d22838b0eb
Instruction ID: f057147cea52b645f614bb55de244ab691f73705aa05d4743e663bdb41e9aa56
Opcode Fuzzy Hash: 03b41c95b1081b04b38eed546b44b8b9e088d20e55cf5291e6a733d22838b0eb
Instruction Fuzzy Hash: B3219F317402189FD7209FAAC884B7A7BA5EF95325B198068F946CB351DB71EC43CB90

Function 00A68060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00AA5DF0
ERCP, xrefs: 00A6813C
VUUU, xrefs: 00A683FA
VUUU, xrefs: 00A683E8
VUUU, xrefs: 00A6843C

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 9797b1e75f4f83b9bf9e121c2740b0df51a1c58750dc39ac16f13236f8f72776
Instruction ID: d99bd237bf294ed0da69a22ff64da648f029eab5a648b552c7e7ea9a78e993b9
Opcode Fuzzy Hash: 9797b1e75f4f83b9bf9e121c2740b0df51a1c58750dc39ac16f13236f8f72776
Instruction Fuzzy Hash: 37A29274E0061ACBDF24CF68C9407EDB7B5BF55310F2482AAE815AB285EB749D81CF94

Function 00ACAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00ACAAAC
SetKeyboardState.USER32(00000080), ref: 00ACAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00ACAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00ACAB88

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 451b1d7ef4703476dceafe8221d248f34632006ed82d1acb29ce85f823241b9a
Instruction ID: d00b61a803003741c55b1556b29b1350e4c2cf7c55859ed420d0ff13974d2064
Opcode Fuzzy Hash: 451b1d7ef4703476dceafe8221d248f34632006ed82d1acb29ce85f823241b9a
Instruction Fuzzy Hash: 09310570A8020CAEEF35CBA9CC05FFA7BB6AB64324F05421EF185961D1D7758D81C762

Function 00ADCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00ADCE89
GetLastError.KERNEL32(?,00000000), ref: 00ADCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00ADCEFE

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 5359d71f855288a7a54c29e32c627306a025ef656808124dd5d4473f1b9717b0
Instruction ID: 4a03e2810ac95ea26cebf6af17c316b19d15381402d44c6132c6e2ce29d27b6c
Opcode Fuzzy Hash: 5359d71f855288a7a54c29e32c627306a025ef656808124dd5d4473f1b9717b0
Instruction Fuzzy Hash: 4021AFB1500306ABDB20DFA6CA49BA7B7FCEB40364F50441EE546D2251EB70EE05DB50

Function 00AC8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00AC82AA

Strings

(, xrefs: 00AC82F0
|, xrefs: 00AC82DA

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 7007523de816af0749c5aabd34b4b7d138dc7ed5450fea2876ee843a2e757dce
Instruction ID: 68f4387f3a6bea0e4274415a976179d224249c357541c51296636732416af1cc
Opcode Fuzzy Hash: 7007523de816af0749c5aabd34b4b7d138dc7ed5450fea2876ee843a2e757dce
Instruction Fuzzy Hash: 59322375A006059FCB28CF59C480E6AB7F0FF48710B16C56EE49ADB7A1EB74E981CB40

Function 00AD5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AD5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00AD5D17
FindClose.KERNEL32(?), ref: 00AD5D5F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 7d52486890fe1bd0360f720773cfaf36676a4813df724bf8678fa5c6eb918fcc
Instruction ID: 2d99dc377e2b2079ba345a92c590b1d1a493254b173cbc42223d67aff520ceaf
Opcode Fuzzy Hash: 7d52486890fe1bd0360f720773cfaf36676a4813df724bf8678fa5c6eb918fcc
Instruction Fuzzy Hash: F2518A34A046019FC714DF68C494A96B7F5FF49324F14855EE99A8B3A1DB30E905CFA1

Function 00A92622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00A9271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A92724
UnhandledExceptionFilter.KERNEL32(?), ref: 00A92731

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2592a56670a607ebfe7591c4eec1eec6b4bcf0056c623c084b9d0aa29ba89bb7
Instruction ID: 0fd99a8154662e7edf48071216fa33faeb759a091c3d1702c5d41334899dbc10
Opcode Fuzzy Hash: 2592a56670a607ebfe7591c4eec1eec6b4bcf0056c623c084b9d0aa29ba89bb7
Instruction Fuzzy Hash: AA31C47490121CABCB21DF68DD88B9DBBB8AF08310F5041EAE41CA7260E7309F858F44

Function 00AD51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AD51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00AD5238
SetErrorMode.KERNEL32(00000000), ref: 00AD52A1

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1c034b49a6ad6f57a23c4bf6db074b41a4e3afd90cdb0f9acaf4549549449623
Instruction ID: b92363be282677d54214662f79686a3eb1cb01d87e9e5be33e170ee5dbda5407
Opcode Fuzzy Hash: 1c034b49a6ad6f57a23c4bf6db074b41a4e3afd90cdb0f9acaf4549549449623
Instruction Fuzzy Hash: A1313075A10518DFDB00DF94D984EEDBBB4FF49314F048099E846AB352DB31E85ACB91

Function 00AC16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A80668
Part of subcall function 00A7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A80685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AC170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AC173A
GetLastError.KERNEL32 ref: 00AC174A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 34f8d5573b5853f8a0290b1675295cc5652d26aa37d7f6bf4b9e69a49adbaad3
Instruction ID: 1e00b16afe0ed7e74d6819d8cc034499aaeae36f60beb079e93ff109ae42ad3c
Opcode Fuzzy Hash: 34f8d5573b5853f8a0290b1675295cc5652d26aa37d7f6bf4b9e69a49adbaad3
Instruction Fuzzy Hash: E211C1B2500308FFD728DF94DD86E6AB7B9EB04724B21C52EE05657242EB70BD42CA20

Function 00ACD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00ACD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00ACD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00ACD650

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c661d0dbe31eb796679c9be2b246dee7cda2344cf608618f79940e26cbf3f25d
Instruction ID: 1cf76616b8cdee1545280cfff1e4f3057e7a1afc1763e88c8d4b153fa5c1cff4
Opcode Fuzzy Hash: c661d0dbe31eb796679c9be2b246dee7cda2344cf608618f79940e26cbf3f25d
Instruction Fuzzy Hash: D2113075E05228BBDB108F959D45FAFBBBCEB45B60F104125F904E7290D6704A05CBA1

Function 00AC1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00AC168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AC16A1
FreeSid.ADVAPI32(?), ref: 00AC16B1

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d9b90e392383dcc58832b1346e6bcaba5123e11fa48ce202ba63ea5a1816e379
Instruction ID: 1d16de33ed32a1db6d6bc777e743e13bff130b37b7bbf115166a8cbff71cb19d
Opcode Fuzzy Hash: d9b90e392383dcc58832b1346e6bcaba5123e11fa48ce202ba63ea5a1816e379
Instruction Fuzzy Hash: FAF0447194030CFBDB00CFE08D89EAEBBBCEB08210F004864E500E2181E730AA059A50

Function 00A9C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00A9C36C

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 53836be136d0d03f3e02b025273c8a065ebc7dc1f2a1d1dbbc0d4225e893c2f9
Instruction ID: 7e8150e8c5dd0fd56bcb11b56546b133c703b025b13d5c75d61f3582f7de8973
Opcode Fuzzy Hash: 53836be136d0d03f3e02b025273c8a065ebc7dc1f2a1d1dbbc0d4225e893c2f9
Instruction Fuzzy Hash: 98414972600619AFCF20AFB9CC48EBBB7F8EB84364F504269F905DB181E6709D41CB50

Function 00ABD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00ABD28C

Strings

X64, xrefs: 00ABD2A8

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: c8e6b3de319f3a56f463561d37a6a10b7c1df5f89acb1b76b2e229ae970a9654
Instruction ID: c32bd1cdba3899a8c269c2e17630e06ac970694de427b5d055e9a71a8e3fc2a4
Opcode Fuzzy Hash: c8e6b3de319f3a56f463561d37a6a10b7c1df5f89acb1b76b2e229ae970a9654
Instruction Fuzzy Hash: 93D0C9B480116DEACB94CB90DC88DD9B37CBF04345F104155F106A2000DB30964A8F10

Function 00A8CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a0602286becfdc802f4eddef53c42d509648225c1ccddba421968f22b0f052ed
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: BE021B71E002199BDF14DFA9D9806ADBBF1FF48324F25816AE919E7380D731AE418F94

Function 00AD68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AD6918
FindClose.KERNEL32(00000000), ref: 00AD6961

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 02676cfa013b55a0195c9ab464ba4e2c193fb5b860500b35e19440fd0dee44c4
Instruction ID: 9baf1090db498e64f81ff3a173e995e3e2fd432de20c6aa5a3893238d174b4fa
Opcode Fuzzy Hash: 02676cfa013b55a0195c9ab464ba4e2c193fb5b860500b35e19440fd0dee44c4
Instruction Fuzzy Hash: 4411B2316142009FC710DF69D484A26BBE5FF89328F14C69AF46A8F3A2C730EC05CB91

Function 00AD37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00AE4891,?,?,00000035,?), ref: 00AD37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00AE4891,?,?,00000035,?), ref: 00AD37F4

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cc16fd7d36c5c9525ff96495e8433ca0bd614de8f5bc6873ece6fed19df28235
Instruction ID: 5b648860e1c3e845dba2374faa9f5e1b7aafa8077a2e14fa679eab8e153b4d6f
Opcode Fuzzy Hash: cc16fd7d36c5c9525ff96495e8433ca0bd614de8f5bc6873ece6fed19df28235
Instruction Fuzzy Hash: 6CF0ECB56052192ADB1057A64D4DFEB766DDFC5771F000166F505E22C1D5605904C6B1

Function 00ACB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00ACB25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00ACB270

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 649afa4dae3842384edf6b00dd1eda3970d6de121a2a14823fedb4b92d317f90
Instruction ID: 0b8339dabb7bb8a0ed7609036519af5be1f206e7043c1067d3d8836a64aa1ab5
Opcode Fuzzy Hash: 649afa4dae3842384edf6b00dd1eda3970d6de121a2a14823fedb4b92d317f90
Instruction Fuzzy Hash: 82F01D7581424DABDB05DFA1C806BFE7BB4FF04315F008409F955A6191C3799615DFA4

Function 00AC10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AC11FC), ref: 00AC10D4
CloseHandle.KERNEL32(?,?,00AC11FC), ref: 00AC10E9

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 9002b36a99fe77aaae2191be2492df1066e66547eb8acdbc6dd808534c2fd1bd
Instruction ID: 488d3bcc660c6266362bac737c461e77c79faf92cca441d227b5dff8ff7eb416
Opcode Fuzzy Hash: 9002b36a99fe77aaae2191be2492df1066e66547eb8acdbc6dd808534c2fd1bd
Instruction Fuzzy Hash: 6BE04F32008600AEE7252B91FD05E7377A9EF04320B10C82DF4A5804B1DB626C91DB10

Function 00A6CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00AB0C40

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 6e330b259ef2a6e32aa7721f252437c0f34a03834f12a38a0535dfecc7d1ce46
Instruction ID: 56e21f481776880d355a12624a4a0e8643a402f7d38378f7f5e586e49f3f6229
Opcode Fuzzy Hash: 6e330b259ef2a6e32aa7721f252437c0f34a03834f12a38a0535dfecc7d1ce46
Instruction Fuzzy Hash: 13326970900218DFCF14DF94C985AFEB7B9FF05314F248069E846AB292DB75AE45CB61

Function 00A9676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A96766,?,?,00000008,?,?,00A9FEFE,00000000), ref: 00A96998

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 728254469b1f026b1cb826247f6fe652e51febd75559deeb870161d1695309bd
Instruction ID: 2620f7a11f48875de54e010bcf73e70282b2395533199cc716a1de37c03a62ae
Opcode Fuzzy Hash: 728254469b1f026b1cb826247f6fe652e51febd75559deeb870161d1695309bd
Instruction Fuzzy Hash: AAB13A316106089FDB19CF28C48AB657BF0FF45364F29C658E8A9CF2A2C735E991CB40

Function 00A7B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00AB851F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b8b3b38fbeac16727ffac2b824f460da3bdc6278354c617ed0307875228352c2
Instruction ID: 1b109154d38080313e8021b87b3238bc02ba630252b9efdb660fb3fde19339ab
Opcode Fuzzy Hash: b8b3b38fbeac16727ffac2b824f460da3bdc6278354c617ed0307875228352c2
Instruction Fuzzy Hash: 341242B59102199BCB14CF58C9807EEB7F9FF48710F14C19AE849EB255DB349E81CBA0

Function 00ADEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00ADEABD

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c1aa0976f26608de5fd9c3a13eb52b5b998a4f38feab73d4b2a9b8a0279c5193
Instruction ID: ac3bc3045fce3487233a6e799f28987912cee374f79d4e21c5ef7935c47d1d72
Opcode Fuzzy Hash: c1aa0976f26608de5fd9c3a13eb52b5b998a4f38feab73d4b2a9b8a0279c5193
Instruction Fuzzy Hash: 49E012312102059FC710EF99D504D9AF7E9AF58770F008416FC46CB361D670A8418B90

Function 00A809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00A803EE), ref: 00A809DA

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9d6f97cfaeff5bb7a1dc35ab790021483e1ee02cbc7b00ffe388e0c21db80628
Instruction ID: 3c053cbeb4e9aaabae463837301944bf894113c25febcfad407c265148c72735
Opcode Fuzzy Hash: 9d6f97cfaeff5bb7a1dc35ab790021483e1ee02cbc7b00ffe388e0c21db80628
Instruction Fuzzy Hash:

Function 00A8781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00A8798B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 7809c7d4faf86d8e52f303eda94245096871ad88f186929b404e3299068a951b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 0851BB7160C7055BDF38BB78899EBBE77E99B02380F380519D887C7282DA15DE81D352

Function 00A96DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c286d4bb936a0c9a23571f37d43048ea249a10d543096f57de8c0f006c54b082
Instruction ID: ceaf9876396891e46c9b01ae042563edd5bda3d95dcd4749ac15f88829934db3
Opcode Fuzzy Hash: c286d4bb936a0c9a23571f37d43048ea249a10d543096f57de8c0f006c54b082
Instruction Fuzzy Hash: EC320421E79F014DDB279634CC2633A6689AFB73C5F15D737E81AB69A6EF29C4834100

Function 00A7CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c0ff584df61df92a4e3997deb7b3f526396736b6064e4d2ea315b0e9e0e19
Instruction ID: 6e1a83d1d80c8250417d5e4845232cbdec6438e0c96d32fcf298cb61341fa869
Opcode Fuzzy Hash: 2f9c0ff584df61df92a4e3997deb7b3f526396736b6064e4d2ea315b0e9e0e19
Instruction Fuzzy Hash: 1832E232A001558BDF39CB29C8A4EFD7BB9EB45330F28C56AD45A9B293D634DD81DB40

Function 00A67920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767d3abb7f32d5be84cd4d9ea5ee151e78901e529b007542c6a1b14697ac0d14
Instruction ID: fa0b67ddecc5ed2900c3da78b094692c2d0ae71935287fe29110e4f45f95a2fa
Opcode Fuzzy Hash: 767d3abb7f32d5be84cd4d9ea5ee151e78901e529b007542c6a1b14697ac0d14
Instruction Fuzzy Hash: 2A22D270E00609DFDF14CFA4C941AAEB3F6FF59304F248529E816AB291EB369E15CB54

Function 00A691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e45a8924a388a5142b103a58064188ac6d49d0d57174e396f9d44c71d86e8c5
Instruction ID: b43e225f7de8c4756a5dbd8d06fb1d1b8e7218ff90fd426e9a15c0a03ed236ea
Opcode Fuzzy Hash: 6e45a8924a388a5142b103a58064188ac6d49d0d57174e396f9d44c71d86e8c5
Instruction Fuzzy Hash: FB02B6B1A00205EFDF14DF64D981AAEB7B5FF45340F208169E80ADB2D1EB31AE11CB91

Function 00A99EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6b8201297246520a49307c01837e01d607eb6e8a39f920e5505ab4fcc060c6
Instruction ID: e1ccacaab500b9224b4ece4ddd30e01e3d3639c55eb09ffcda34cd84dd6b4eaf
Opcode Fuzzy Hash: 8d6b8201297246520a49307c01837e01d607eb6e8a39f920e5505ab4fcc060c6
Instruction Fuzzy Hash: DEB10120E2AF404DC72396398875336B69CAFBB6D5F91D31BFC2675D62EF2286834140

Function 00A81C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 663346a0dc2ea01ec5736616979d7e0ff8cab3e019f0adebf6c97991fe76b825
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: E99186722080A34ADB29573E857417EFFF95A923A131A079ED4F2CA1C1FE24C966D720

Function 00A81F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: c02d9ae54492f159ebfe334e2b26115de97c771852f38ebad1b1124e50afcc91
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: E49174722090A34EDB69533D857853EFFF15A923A131A079EE4F2CB1C5EE24C965E720

Function 00A819B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: aa1bf628b9b1c6f7aac97de3d9deebd951d2c3f42185b992f34e8a625166ae52
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 409163722090A34EDB2D577A957803DFFF95A923A231A079ED4F2CA1C1FE14C566D720

Function 00A87A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31af71aee660670eda7c1be90ea03251fd8504233b6dfb6b973b40b44dcfd571
Instruction ID: 3028f2037199fd13629e3af14e7414e9470fef71ccfb8b4eef4e8831fea9eebf
Opcode Fuzzy Hash: 31af71aee660670eda7c1be90ea03251fd8504233b6dfb6b973b40b44dcfd571
Instruction Fuzzy Hash: 24618B7160C70996DE38BB288D99BBFB3A6DF51780F740919E883DB2C1DA15DE42C325

Function 00A87CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9516554db5c119bfadb5e330f5b60e4a16ddf6aa6820819cb6e0dfb5770a59c6
Instruction ID: 00b811c705f7975018b1d4f57ab94161db1683c3a4556eda0b4fee496c09385f
Opcode Fuzzy Hash: 9516554db5c119bfadb5e330f5b60e4a16ddf6aa6820819cb6e0dfb5770a59c6
Instruction Fuzzy Hash: 9661BD3160C70997DE38BB284995BBF7394EF42744F301959E883DF281EA16ED428B55

Function 00A81706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: a555615fc2f2983b7318d454fbcf56062fdced863f0cccecb822c8307260cb42
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F28184336080A30EDB6D573A857547EFFE56A923A131A079ED4F2CB1C1EE24C556E720

Function 00A7D065 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea82094c9e77733579f05dd33842e7899e41c798a1d1d4bc0a9b9fb624711461
Instruction ID: 8fd56443022b97a3a07fefd4f152cb56533ed83b83c2ec3f0d05592779bd8b7e
Opcode Fuzzy Hash: ea82094c9e77733579f05dd33842e7899e41c798a1d1d4bc0a9b9fb624711461
Instruction Fuzzy Hash: D95125A584FBE56FE7079738C8AA184FF70AC1B05434886DFC6C14A8AFD3A1441AD75B

Function 00AD2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e4a44b148f4cef301faa934c0a7e85d79341c58688ae9cbc3efe150f29affb0
Instruction ID: 2bc5b2e36949d86837aa680ef6df67c9b15ebb092175d9c2d2ed74179d912db0
Opcode Fuzzy Hash: 1e4a44b148f4cef301faa934c0a7e85d79341c58688ae9cbc3efe150f29affb0
Instruction Fuzzy Hash: 7021B7326206118BD728CF79C92367E73E5AB64320F25862EE4A7C37D0DE35AD04CB80

Function 00AE2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00AE2B30
DeleteObject.GDI32(00000000), ref: 00AE2B43
DestroyWindow.USER32 ref: 00AE2B52
GetDesktopWindow.USER32 ref: 00AE2B6D
GetWindowRect.USER32(00000000), ref: 00AE2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00AE2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00AE2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2CF8
GetClientRect.USER32(00000000,?), ref: 00AE2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00AE2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2D80
GlobalLock.KERNEL32(00000000), ref: 00AE2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2D98
GlobalUnlock.KERNEL32(00000000), ref: 00AE2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2DA8
GlobalFree.KERNEL32(00000000), ref: 00AE2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00AFFC38,00000000), ref: 00AE2DDB
GlobalFree.KERNEL32(00000000), ref: 00AE2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00AE2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00AE2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE303F

Strings

AutoIt v3, xrefs: 00AE2CF2
DISPLAY, xrefs: 00AE2EA2
static, xrefs: 00AE2D3A, 00AE2E91
, xrefs: 00AE2FC5

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 2ced211fb1ed2c1183810f7d1208dec2a1fdab995193bfda78126010ba89782e
Instruction ID: b96ab7500a413232831d76ff53b83805be87b53bfa421ffbff5f85d314a601ad
Opcode Fuzzy Hash: 2ced211fb1ed2c1183810f7d1208dec2a1fdab995193bfda78126010ba89782e
Instruction Fuzzy Hash: 99027D71500209AFDB14DFA5CD89EAE7BB9FF48720F108558F916AB2A1DB70AD01CB60

Function 00AF70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00AF712F
GetSysColorBrush.USER32(0000000F), ref: 00AF7160
GetSysColor.USER32(0000000F), ref: 00AF716C
SetBkColor.GDI32(?,000000FF), ref: 00AF7186
SelectObject.GDI32(?,?), ref: 00AF7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00AF71C0
GetSysColor.USER32(00000010), ref: 00AF71C8
CreateSolidBrush.GDI32(00000000), ref: 00AF71CF
FrameRect.USER32(?,?,00000000), ref: 00AF71DE
DeleteObject.GDI32(00000000), ref: 00AF71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00AF7230
FillRect.USER32(?,?,?), ref: 00AF7262
GetWindowLongW.USER32(?,000000F0), ref: 00AF7284

Part of subcall function 00AF73E8: GetSysColor.USER32(00000012), ref: 00AF7421
Part of subcall function 00AF73E8: SetTextColor.GDI32(?,?), ref: 00AF7425
Part of subcall function 00AF73E8: GetSysColorBrush.USER32(0000000F), ref: 00AF743B
Part of subcall function 00AF73E8: GetSysColor.USER32(0000000F), ref: 00AF7446
Part of subcall function 00AF73E8: GetSysColor.USER32(00000011), ref: 00AF7463
Part of subcall function 00AF73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AF7471
Part of subcall function 00AF73E8: SelectObject.GDI32(?,00000000), ref: 00AF7482
Part of subcall function 00AF73E8: SetBkColor.GDI32(?,00000000), ref: 00AF748B
Part of subcall function 00AF73E8: SelectObject.GDI32(?,?), ref: 00AF7498
Part of subcall function 00AF73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00AF74B7
Part of subcall function 00AF73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AF74CE
Part of subcall function 00AF73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00AF74DB

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 03dc0a8db9a3090d1cb95770fcb080dea013200e09a199fa53741623360d36da
Instruction ID: 697569c422e1e470b3da8d51192af3be4d6438637984b5f09be3360bbe49d6df
Opcode Fuzzy Hash: 03dc0a8db9a3090d1cb95770fcb080dea013200e09a199fa53741623360d36da
Instruction Fuzzy Hash: A7A17E72008309AFD710DFE5DD48ABE7BA9FB49330F100B19FAA2961A1D771E945CB51

Function 00A78D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00A78E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00AB6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00AB6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00AB6F43

Part of subcall function 00A78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A78BE8,?,00000000,?,?,?,?,00A78BBA,00000000,?), ref: 00A78FC5

SendMessageW.USER32(?,00001053), ref: 00AB6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00AB6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00AB6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00AB6FB7

Strings

0, xrefs: 00AB6DCF

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5dc1b95c4e8ae2e044051112755b25c76da61037aa2febafd22a2a772a570821
Instruction ID: ee5dc0f59634a73a76e3b32f2e62f15804225f4b7f4f8dda10de60645dea613e
Opcode Fuzzy Hash: 5dc1b95c4e8ae2e044051112755b25c76da61037aa2febafd22a2a772a570821
Instruction Fuzzy Hash: 69129C30604201DFDB25CF28C958BBABBF9FB45310F248569E4898B262CB39EC52DB51

Function 00AE2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00AE273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00AE286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00AE28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00AE28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00AE2900
GetClientRect.USER32(00000000,?), ref: 00AE290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00AE2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AE2964
GetStockObject.GDI32(00000011), ref: 00AE2974
SelectObject.GDI32(00000000,00000000), ref: 00AE2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00AE2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AE2991
DeleteDC.GDI32(00000000), ref: 00AE299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00AE29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00AE29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00AE2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00AE2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00AE2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00AE2A77
GetStockObject.GDI32(00000011), ref: 00AE2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00AE2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00AE2A97

Strings

AutoIt v3, xrefs: 00AE28F8
DISPLAY, xrefs: 00AE295A
static, xrefs: 00AE294F, 00AE2A71
msctls_progress32, xrefs: 00AE2A13

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 7d04b80a3e5721a0870aeda15411c11e4385e820aeafa96a4ff9d3ad4b2f4bb8
Instruction ID: 0569fa96b2584edbb836d816aa39dfe5bf683808a6841b0c85cbac6a1dd3478f
Opcode Fuzzy Hash: 7d04b80a3e5721a0870aeda15411c11e4385e820aeafa96a4ff9d3ad4b2f4bb8
Instruction Fuzzy Hash: D8B16B75A00219BFEB14DFA9CD89FAE7BB9EB08710F104515F915E72A0DB70AD40CBA4

Function 00AD4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AD4AED
GetDriveTypeW.KERNEL32(?,00AFCB68,?,\\.\,00AFCC08), ref: 00AD4BCA
SetErrorMode.KERNEL32(00000000,00AFCB68,?,\\.\,00AFCC08), ref: 00AD4D36

Strings

\\.\, xrefs: 00AD4B3F
Removable, xrefs: 00AD4C10, 00AD4C15
SSA, xrefs: 00AD4CA6
SSD, xrefs: 00AD4C4A
Network, xrefs: 00AD4C02
Fixed, xrefs: 00AD4C09
RAMDisk, xrefs: 00AD4BF4
FileBackedVirtual, xrefs: 00AD4CEC
1394, xrefs: 00AD4C9F
Unknown, xrefs: 00AD4BED, 00AD4C83
Virtual, xrefs: 00AD4CE5
SATA, xrefs: 00AD4CD0
SAS, xrefs: 00AD4CC9
iSCSI, xrefs: 00AD4CC2
CDROM, xrefs: 00AD4BFB
SCSI, xrefs: 00AD4C8A
ATA, xrefs: 00AD4C98
ATAPI, xrefs: 00AD4C91
PhysicalDrive, xrefs: 00AD4B76
RAID, xrefs: 00AD4CBB
USB, xrefs: 00AD4CB4
MMC, xrefs: 00AD4CDE
Fibre, xrefs: 00AD4CAD

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d53375b4ea8c79b49d99f4f9a7d1d874d3f9f30ca7061c1e84923d7d34e7622b
Instruction ID: 2574cf095787beab6ca995757633abc0f80906097018537d101f3713f8570a7f
Opcode Fuzzy Hash: d53375b4ea8c79b49d99f4f9a7d1d874d3f9f30ca7061c1e84923d7d34e7622b
Instruction Fuzzy Hash: 6F619E30616109EBCB04DF64DA8297D77B1EB4C748B2484A7F80BAB7A1DB36ED41DB41

Function 00AF73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00AF7421
SetTextColor.GDI32(?,?), ref: 00AF7425
GetSysColorBrush.USER32(0000000F), ref: 00AF743B
GetSysColor.USER32(0000000F), ref: 00AF7446
CreateSolidBrush.GDI32(?), ref: 00AF744B
GetSysColor.USER32(00000011), ref: 00AF7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AF7471
SelectObject.GDI32(?,00000000), ref: 00AF7482
SetBkColor.GDI32(?,00000000), ref: 00AF748B
SelectObject.GDI32(?,?), ref: 00AF7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00AF74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AF74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00AF74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AF752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00AF7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00AF7572
DrawFocusRect.USER32(?,?), ref: 00AF757D
GetSysColor.USER32(00000011), ref: 00AF758E
SetTextColor.GDI32(?,00000000), ref: 00AF7596
DrawTextW.USER32(?,00AF70F5,000000FF,?,00000000), ref: 00AF75A8
SelectObject.GDI32(?,?), ref: 00AF75BF
DeleteObject.GDI32(?), ref: 00AF75CA
SelectObject.GDI32(?,?), ref: 00AF75D0
DeleteObject.GDI32(?), ref: 00AF75D5
SetTextColor.GDI32(?,?), ref: 00AF75DB
SetBkColor.GDI32(?,?), ref: 00AF75E5

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b47f6756ef64db5d227f7285a00e7555b45879e04e4d2adbbd78b7e79b2c39a1
Instruction ID: 7566f3ff40bfa3d24d799b2d1f74c8c2cce6d55bbdb8da9b2e42397974d2abab
Opcode Fuzzy Hash: b47f6756ef64db5d227f7285a00e7555b45879e04e4d2adbbd78b7e79b2c39a1
Instruction Fuzzy Hash: 6B614972904218AFDB01DFE5DD49EEEBFB9EB08320F114215FA15AB2A1D7749941CB90

Function 00AF0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00AF1128
GetDesktopWindow.USER32 ref: 00AF113D
GetWindowRect.USER32(00000000), ref: 00AF1144
GetWindowLongW.USER32(?,000000F0), ref: 00AF1199
DestroyWindow.USER32(?), ref: 00AF11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00AF11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AF120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00AF121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00AF1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00AF1245
IsWindowVisible.USER32(00000000), ref: 00AF12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00AF12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00AF12D0
GetWindowRect.USER32(00000000,?), ref: 00AF12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00AF130E
GetMonitorInfoW.USER32(00000000,?), ref: 00AF1328
CopyRect.USER32(?,?), ref: 00AF133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00AF13AA

Strings

tooltips_class32, xrefs: 00AF11E6
(, xrefs: 00AF131B
0, xrefs: 00AF10D3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 8bffb5603913fc35d4684227b2121784b5b7c87a436da9ce3066bb8de7493bbf
Instruction ID: 9feb9fc178c4dded169eaad1ce7d2213227857d1ee5de9a574cbb4bcda892dc7
Opcode Fuzzy Hash: 8bffb5603913fc35d4684227b2121784b5b7c87a436da9ce3066bb8de7493bbf
Instruction Fuzzy Hash: 75B1AF71608345EFD740DFA5C984BAABBE4FF84350F00891CFA9A9B2A1DB71D845CB51

Function 00AF0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00AF02E5
_wcslen.LIBCMT ref: 00AF031F
_wcslen.LIBCMT ref: 00AF0389
_wcslen.LIBCMT ref: 00AF03F1
_wcslen.LIBCMT ref: 00AF0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00AF04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AF0504

Part of subcall function 00A7F9F2: _wcslen.LIBCMT ref: 00A7F9FD

Part of subcall function 00AC223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AC2258
Part of subcall function 00AC223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AC228A

Strings

GETSUBITEMCOUNT, xrefs: 00AF0384, 00AF039F
SELECT, xrefs: 00AF0548
VIEWCHANGE, xrefs: 00AF0675
SELECTALL, xrefs: 00AF0515
ISSELECTED, xrefs: 00AF04DD
SELECTINVERT, xrefs: 00AF057E
GETSELECTEDCOUNT, xrefs: 00AF0470, 00AF048B
FINDITEM, xrefs: 00AF0627
DESELECT, xrefs: 00AF059C
GETSELECTED, xrefs: 00AF05E1
SELECTCLEAR, xrefs: 00AF052D
GETTEXT, xrefs: 00AF03EC, 00AF0407
GETITEMCOUNT, xrefs: 00AF0316, 00AF0337

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e56a5a3682c9c4981191e3dea21d1675ce56f7d98bccb9b4ce43a30ea1c7f229
Instruction ID: 2f26c438f416c3252c55542e9c1d95ef83fe95157c1d79083b6b7a49bc858f9c
Opcode Fuzzy Hash: e56a5a3682c9c4981191e3dea21d1675ce56f7d98bccb9b4ce43a30ea1c7f229
Instruction Fuzzy Hash: 3BE1CE312182058FC714DF64CA50D7AB7E6FF88314B148A6DFA9A9B3A2DB30ED45CB51

Function 00A78891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A78968
GetSystemMetrics.USER32(00000007), ref: 00A78970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A7899B
GetSystemMetrics.USER32(00000008), ref: 00A789A3
GetSystemMetrics.USER32(00000004), ref: 00A789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A78A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A78A3C
GetClientRect.USER32(00000000,000000FF), ref: 00A78A5A
GetStockObject.GDI32(00000011), ref: 00A78A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A78A81

Part of subcall function 00A7912D: GetCursorPos.USER32(?), ref: 00A79141
Part of subcall function 00A7912D: ScreenToClient.USER32(00000000,?), ref: 00A7915E
Part of subcall function 00A7912D: GetAsyncKeyState.USER32(00000001), ref: 00A79183
Part of subcall function 00A7912D: GetAsyncKeyState.USER32(00000002), ref: 00A7919D

SetTimer.USER32(00000000,00000000,00000028,00A790FC), ref: 00A78AA8

Strings

AutoIt v3 GUI, xrefs: 00A78A20

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c52ace1578651528ba6132cde8927ef071e5fb5454132c234d1a3f3bcf4e21f9
Instruction ID: 1d557b756cda5d7bea6f7c7357759a15d4213de2dce5aa84c97ed4cb9fc882e8
Opcode Fuzzy Hash: c52ace1578651528ba6132cde8927ef071e5fb5454132c234d1a3f3bcf4e21f9
Instruction Fuzzy Hash: 47B16D71A40209AFDB14DFA9CD49BEE3BB9FB48314F108629FA15A7290DB34A841CB51

Function 00AC0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AC1114
Part of subcall function 00AC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC1120
Part of subcall function 00AC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC112F
Part of subcall function 00AC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC1136
Part of subcall function 00AC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AC0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AC0E29
GetLengthSid.ADVAPI32(?), ref: 00AC0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00AC0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AC0E96
GetLengthSid.ADVAPI32(?), ref: 00AC0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00AC0EB5
HeapAlloc.KERNEL32(00000000), ref: 00AC0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AC0EDD
CopySid.ADVAPI32(00000000), ref: 00AC0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AC0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AC0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AC0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC0F6E
HeapFree.KERNEL32(00000000), ref: 00AC0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC0F7E
HeapFree.KERNEL32(00000000), ref: 00AC0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC0F8E
HeapFree.KERNEL32(00000000), ref: 00AC0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00AC0FA1
HeapFree.KERNEL32(00000000), ref: 00AC0FA8

Part of subcall function 00AC1193: GetProcessHeap.KERNEL32(00000008,00AC0BB1,?,00000000,?,00AC0BB1,?), ref: 00AC11A1
Part of subcall function 00AC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00AC0BB1,?), ref: 00AC11A8
Part of subcall function 00AC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00AC0BB1,?), ref: 00AC11B7

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ff1f5459124b855f6e119e46f3ea90ddffe3fdd746e6ee2e98a5f2fa9d4b0269
Instruction ID: 9ef28b98f4fda62b7509820f0310e91faee1342e16cd25e2b02abf8006b4ca1a
Opcode Fuzzy Hash: ff1f5459124b855f6e119e46f3ea90ddffe3fdd746e6ee2e98a5f2fa9d4b0269
Instruction Fuzzy Hash: 88718C7290021AEBDF20DFE5DD44FAEBBB8BF04350F054219F919E6191DB309A56CBA0

Function 00AEC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AEC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00AFCC08,00000000,?,00000000,?,?), ref: 00AEC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00AEC5A4
_wcslen.LIBCMT ref: 00AEC5F4
_wcslen.LIBCMT ref: 00AEC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00AEC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00AEC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00AEC84D
RegCloseKey.ADVAPI32(?), ref: 00AEC881
RegCloseKey.ADVAPI32(00000000), ref: 00AEC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00AEC960

Strings

REG_DWORD, xrefs: 00AEC804
REG_SZ, xrefs: 00AEC644
REG_MULTI_SZ, xrefs: 00AEC6F5
REG_EXPAND_SZ, xrefs: 00AEC5CD
REG_BINARY, xrefs: 00AEC913
REG_QWORD, xrefs: 00AEC8C3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 6c6ce25b61244625bad632506cb5310292d9e937c85a69d63f001499fb8a80a0
Instruction ID: 60e463983e5185c2c14b5b9239864c36741c28df87dc31342865a9e454c248b5
Opcode Fuzzy Hash: 6c6ce25b61244625bad632506cb5310292d9e937c85a69d63f001499fb8a80a0
Instruction Fuzzy Hash: E01279352042419FD714DF15C981A2AB7F5FF88724F14889DF89A9B3A2DB31ED42CB91

Function 00AF091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00AF09C6
_wcslen.LIBCMT ref: 00AF0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AF0A54
_wcslen.LIBCMT ref: 00AF0A8A
_wcslen.LIBCMT ref: 00AF0B06
_wcslen.LIBCMT ref: 00AF0B81

Part of subcall function 00A7F9F2: _wcslen.LIBCMT ref: 00A7F9FD

Part of subcall function 00AC2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AC2BFA

Strings

SELECT, xrefs: 00AF0D11
CHECK, xrefs: 00AF0A85, 00AF0AA0
EXPAND, xrefs: 00AF0BF8
GETSELECTED, xrefs: 00AF0C4E
COLLAPSE, xrefs: 00AF0B01, 00AF0B1C
EXISTS, xrefs: 00AF0B7C, 00AF0B97
GETTEXT, xrefs: 00AF0C97
GETITEMCOUNT, xrefs: 00AF0C1E
ISCHECKED, xrefs: 00AF0CE1
UNCHECK, xrefs: 00AF0D3E
GETTOTALCOUNT, xrefs: 00AF09F2, 00AF0A17

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: de52e28cdb109beaf7952fa607f2c27b85a7e893a39efa54a5b70f1c0b2e4cf3
Instruction ID: 3d0add1df1f526f8fa58ca0dccee717750027e6004a64eacd41af5205fbfd2ac
Opcode Fuzzy Hash: de52e28cdb109beaf7952fa607f2c27b85a7e893a39efa54a5b70f1c0b2e4cf3
Instruction Fuzzy Hash: E6E189362083058FC714EF64C550D2AB7F1BF98358B15899DF99A9B3A2DB30ED45CB81

Function 00AEC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEB6AE,?,?), ref: 00AEC9B5
_wcslen.LIBCMT ref: 00AEC9F1
_wcslen.LIBCMT ref: 00AECA68
_wcslen.LIBCMT ref: 00AECA9E
_wcslen.LIBCMT ref: 00AECAF9
_wcslen.LIBCMT ref: 00AECB2F
_wcslen.LIBCMT ref: 00AECB7F

Strings

HKCC, xrefs: 00AECBAC
HKEY_LOCAL_MACHINE, xrefs: 00AECA62, 00AECA67
HKEY_USERS, xrefs: 00AECBDF
HKCR, xrefs: 00AECB29, 00AECB2E
HKU, xrefs: 00AECBF0
HKLM, xrefs: 00AECA98, 00AECA9D
HKCU, xrefs: 00AECBCE
HKEY_CLASSES_ROOT, xrefs: 00AECAF3, 00AECAF8
HKEY_CURRENT_CONFIG, xrefs: 00AECB79, 00AECB7E
HKEY_CURRENT_USER, xrefs: 00AECBBD

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 236202f3557902c72eb7f95d3e9a6925acac857980bea0318456432309eb60fc
Instruction ID: 4f93c83c17481f2ee02e300c8084ee38458ee5bc89f667b32967da058bc95c0e
Opcode Fuzzy Hash: 236202f3557902c72eb7f95d3e9a6925acac857980bea0318456432309eb60fc
Instruction Fuzzy Hash: 1571F9336001AA8BCB20DF7EDD515BF33A6AFA47B4B254524F86997284EA31CD46C390

Function 00AF833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AF835A
_wcslen.LIBCMT ref: 00AF836E
_wcslen.LIBCMT ref: 00AF8391
_wcslen.LIBCMT ref: 00AF83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00AF83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00AF5BF2), ref: 00AF844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AF8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00AF84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AF8501
FreeLibrary.KERNEL32(?), ref: 00AF850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00AF851D
DestroyIcon.USER32(?,?,?,?,?,00AF5BF2), ref: 00AF852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00AF8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00AF8555

Strings

.dll, xrefs: 00AF83AB
.exe, xrefs: 00AF8388
.icl, xrefs: 00AF8368

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 3d92c2f6a9e9a042d47f7e83abe782abd619d02b5268fe1af12f4ef8f35bca84
Instruction ID: be5dfdb0575db1ec67416701ea4ba26dbf35120df13e4da6b05b073acc837d92
Opcode Fuzzy Hash: 3d92c2f6a9e9a042d47f7e83abe782abd619d02b5268fe1af12f4ef8f35bca84
Instruction Fuzzy Hash: 0461F27154021ABBEB14DFA4CD41BBE77A8FF08B21F104649F916DA1D1DF78A980C7A0

Function 00A67778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 00A6785F, 00A678B1
#OnAutoItStartRegister, xrefs: 00A67817
#requireadmin, xrefs: 00A677FF
#notrayicon, xrefs: 00A677E7
", xrefs: 00AA5153
#cs, xrefs: 00A67873, 00A678C5
Cannot parse #include, xrefs: 00AA5279
Unterminated group of comments, xrefs: 00AA528C
', xrefs: 00AA5169
#pragma compile, xrefs: 00A677D3
Bad directive syntax error, xrefs: 00AA519A
#comments-end, xrefs: 00A678D9
#include, xrefs: 00A67847
#ce, xrefs: 00A678ED
#include-once, xrefs: 00A6782F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 8cfa010090ef8428dc032cafe9d3093b61bc4cf48bb2ce49ae72eb602c10c0df
Instruction ID: acbc2f52ded5890ab7c710c9b8da1dd7cad28ec1c0b7bfdc44a3444714c7c204
Opcode Fuzzy Hash: 8cfa010090ef8428dc032cafe9d3093b61bc4cf48bb2ce49ae72eb602c10c0df
Instruction Fuzzy Hash: FE81CC71A14209BBDB21BF60CE42FBE37B8BF15304F144424F909AB196EB74DA41CBA5

Function 00AD3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00AD3EF8
_wcslen.LIBCMT ref: 00AD3F03
_wcslen.LIBCMT ref: 00AD3F5A
_wcslen.LIBCMT ref: 00AD3F98
GetDriveTypeW.KERNEL32(?), ref: 00AD3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AD401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AD4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AD4087

Strings

type cdaudio alias cd wait, xrefs: 00AD4001
close, xrefs: 00AD3EFE, 00AD3F18
close cd wait, xrefs: 00AD4072
closed, xrefs: 00AD3F08, 00AD3F2D, 00AD3F46, 00AD3F7E, 00AD3F97
set cd door , xrefs: 00AD4028
wait, xrefs: 00AD4044
open, xrefs: 00AD3F54, 00AD3F59
open , xrefs: 00AD3FE5

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 203860c191b3c6e622bb285ced46f23481652e9d27ff26b0304bf4262097070b
Instruction ID: ad256421f01ba12727c782aa75c37d1ee710ce62a8e6e9df7bcf5c70ea839755
Opcode Fuzzy Hash: 203860c191b3c6e622bb285ced46f23481652e9d27ff26b0304bf4262097070b
Instruction Fuzzy Hash: C571E1326042169FC710EF24C98196AB7F4EF98768F10492EF99697361EB30ED45CB92

Function 00AC5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00AC5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AC5A40
SetWindowTextW.USER32(?,?), ref: 00AC5A57
GetDlgItem.USER32(?,000003EA), ref: 00AC5A6C
SetWindowTextW.USER32(00000000,?), ref: 00AC5A72
GetDlgItem.USER32(?,000003E9), ref: 00AC5A82
SetWindowTextW.USER32(00000000,?), ref: 00AC5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00AC5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00AC5AC3
GetWindowRect.USER32(?,?), ref: 00AC5ACC
_wcslen.LIBCMT ref: 00AC5B33
SetWindowTextW.USER32(?,?), ref: 00AC5B6F
GetDesktopWindow.USER32 ref: 00AC5B75
GetWindowRect.USER32(00000000), ref: 00AC5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00AC5BD3
GetClientRect.USER32(?,?), ref: 00AC5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00AC5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00AC5C2F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 47c1823d111b513ae914a862aba6f80f039ddd6e0dfd1735d9291997b0239fe5
Instruction ID: 7c28f93a6709e48bb6808e5124730e76156a03fcb372ab74eb4a364351cfa33d
Opcode Fuzzy Hash: 47c1823d111b513ae914a862aba6f80f039ddd6e0dfd1735d9291997b0239fe5
Instruction Fuzzy Hash: 6E713731900A09AFDB20DFA9CE89FAEBBF5EB48714F11491CE142A25A0D775B984CB50

Function 00ADFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00ADFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00ADFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00ADFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00ADFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00ADFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00ADFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00ADFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00ADFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00ADFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00ADFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00ADFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00ADFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00ADFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00ADFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00ADFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00ADFECC
GetCursorInfo.USER32(?), ref: 00ADFEDC
GetLastError.KERNEL32 ref: 00ADFF1E

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: bd1c9a1c2760ac3500014c70632c37b90b03fb5ac1446141aaa8e37e5b9e11eb
Instruction ID: fd92bdf6975dfd099003767e1b1f697d73766c0fbaa31d5c50fea3a974f9b487
Opcode Fuzzy Hash: bd1c9a1c2760ac3500014c70632c37b90b03fb5ac1446141aaa8e37e5b9e11eb
Instruction Fuzzy Hash: 834124B0D04319AEDB10DFBA8C8586EBFE8FF08754B50452AE51DEB281DB789901CE91

Function 00A800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00A800C6

Part of subcall function 00A800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00B3070C,00000FA0,B479C931,?,?,?,?,00AA23B3,000000FF), ref: 00A8011C
Part of subcall function 00A800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00AA23B3,000000FF), ref: 00A80127
Part of subcall function 00A800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00AA23B3,000000FF), ref: 00A80138
Part of subcall function 00A800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00A8014E
Part of subcall function 00A800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00A8015C
Part of subcall function 00A800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00A8016A
Part of subcall function 00A800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A80195
Part of subcall function 00A800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A801A0

___scrt_fastfail.LIBCMT ref: 00A800E7

Part of subcall function 00A800A3: __onexit.LIBCMT ref: 00A800A9

Strings

SleepConditionVariableCS, xrefs: 00A80154
WakeAllConditionVariable, xrefs: 00A80162
InitializeConditionVariable, xrefs: 00A80148
kernel32.dll, xrefs: 00A80133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00A80122

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 3b01c49f284ac05edc54c558490aef7408177b87a4645ab9e22658ec7dc4d049
Instruction ID: ce2ea3bf4c697cee56a836e06a7520b52ddc904ac5feeb96e3b9d8b44cd7227d
Opcode Fuzzy Hash: 3b01c49f284ac05edc54c558490aef7408177b87a4645ab9e22658ec7dc4d049
Instruction Fuzzy Hash: 3621F232640705AFE760BBE4AD0AF3E36A8EF05BB0F104629F901A3291DB749C048B94

Function 00AC30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AC318D
_wcslen.LIBCMT ref: 00AC31F8

Strings

CLASS, xrefs: 00AC3188, 00AC31A5
CLASSNN, xrefs: 00AC31F3, 00AC3204
TEXT, xrefs: 00AC347C
REGEXPCLASS, xrefs: 00AC3255, 00AC3266
NAME, xrefs: 00AC3335, 00AC3346
INSTANCE, xrefs: 00AC3453

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: a55c3a365a8ae706cc85d75196a9cb22dcb3da0744c3a69b1c531c9e9522ef32
Instruction ID: 0f0e87985379fa69f99d3e620035958677e25679efd9634e968a126be22d7fb1
Opcode Fuzzy Hash: a55c3a365a8ae706cc85d75196a9cb22dcb3da0744c3a69b1c531c9e9522ef32
Instruction Fuzzy Hash: 99E1A333A00526AFCF289FA8C951FEDBBB4BF54710F56C15DE456A7240DB30AE858790

Function 00AD44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00AFCC08), ref: 00AD4527
_wcslen.LIBCMT ref: 00AD453B
_wcslen.LIBCMT ref: 00AD4599
_wcslen.LIBCMT ref: 00AD45F4
_wcslen.LIBCMT ref: 00AD463F
_wcslen.LIBCMT ref: 00AD46A7

Part of subcall function 00A7F9F2: _wcslen.LIBCMT ref: 00A7F9FD

GetDriveTypeW.KERNEL32(?,00B26BF0,00000061), ref: 00AD4743

Strings

fixed, xrefs: 00AD4635, 00AD463A
unknown, xrefs: 00AD4708
cdrom, xrefs: 00AD458F, 00AD4594
all, xrefs: 00AD4531, 00AD4536
network, xrefs: 00AD469D, 00AD46A2
ramdisk, xrefs: 00AD46F1
removable, xrefs: 00AD45EA, 00AD45EF

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: a4d0546674a4485e21ba6ccc6d624029246ce2ea61f2a5a55f2e22c0a703fbd8
Instruction ID: 4e0c46495f50cf1b551e31a89505e89fd2593437d523f0d371c435fdeb0e9d2d
Opcode Fuzzy Hash: a4d0546674a4485e21ba6ccc6d624029246ce2ea61f2a5a55f2e22c0a703fbd8
Instruction Fuzzy Hash: 7BB1CA316083029FC720DF28D991A6AB7F5AFA9760F50491EF49BC7391E730D845CBA2

Function 00AE3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AFCC08), ref: 00AE40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00AE40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00AFCC08), ref: 00AE40F2
FreeLibrary.KERNEL32(00000000,?,00AFCC08), ref: 00AE413E
StringFromGUID2.OLE32(?,?,00000028,?,00AFCC08), ref: 00AE41A8
SysFreeString.OLEAUT32(00000009), ref: 00AE4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00AE42C8
SysFreeString.OLEAUT32(?), ref: 00AE42F2

Strings

GetModuleHandleExW, xrefs: 00AE40C7
kernel32.dll, xrefs: 00AE40B6

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: da18e1e1d6b14fd30b415f9792f78a432c1a8b87367957bff7472bc3e257438a
Instruction ID: f7932fbe78d7a474ed7aa0884c137a8f53b5a6200388a898f0db4022d396d692
Opcode Fuzzy Hash: da18e1e1d6b14fd30b415f9792f78a432c1a8b87367957bff7472bc3e257438a
Instruction Fuzzy Hash: 36124A75A00259EFDB14DF95C884EAEBBB9FF49314F248098E905AF251C731ED42CBA0

Function 00A6326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00B31990), ref: 00AA2F8D
GetMenuItemCount.USER32(00B31990), ref: 00AA303D
GetCursorPos.USER32(?), ref: 00AA3081
SetForegroundWindow.USER32(00000000), ref: 00AA308A
TrackPopupMenuEx.USER32(00B31990,00000000,?,00000000,00000000,00000000), ref: 00AA309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AA30A9

Strings

0, xrefs: 00A6327D

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: c8e71773de6075216df33841769b2f57463ba235d488827fdc9b93c15de1450c
Instruction ID: f8fb530d6912c88ff5b728d47ed14dd33c9f4daab37cec048e2bec59aac16382
Opcode Fuzzy Hash: c8e71773de6075216df33841769b2f57463ba235d488827fdc9b93c15de1450c
Instruction Fuzzy Hash: F4710471644209BEEF258F69CD49FAABF74FF05324F204206F525AB1E0C7B1A964DB90

Function 00AF6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00AF6DEB

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00AF6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00AF6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AF6E94
DestroyWindow.USER32(?), ref: 00AF6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A60000,00000000), ref: 00AF6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AF6EFD
GetDesktopWindow.USER32 ref: 00AF6F16
GetWindowRect.USER32(00000000), ref: 00AF6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00AF6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00AF6F4D

Part of subcall function 00A79944: GetWindowLongW.USER32(?,000000EB), ref: 00A79952

Strings

tooltips_class32, xrefs: 00AF6E58, 00AF6EDD
0, xrefs: 00AF6D98

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 162151bbde0fb1728825adff6253208a479f7a9759c11fe128e505c1fc6d3256
Instruction ID: 562db8c3027d98bbc40dc69857a6f60629fd71ebbdca34ad904f359b97830c74
Opcode Fuzzy Hash: 162151bbde0fb1728825adff6253208a479f7a9759c11fe128e505c1fc6d3256
Instruction Fuzzy Hash: E2716671144248AFDB21CF98DD48BBABBF9FB89314F14491DFA8987261CB70AD06DB11

Function 00AF911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

DragQueryPoint.SHELL32(?,?), ref: 00AF9147

Part of subcall function 00AF7674: ClientToScreen.USER32(?,?), ref: 00AF769A
Part of subcall function 00AF7674: GetWindowRect.USER32(?,?), ref: 00AF7710
Part of subcall function 00AF7674: PtInRect.USER32(?,?,00AF8B89), ref: 00AF7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00AF91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00AF91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00AF91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00AF9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00AF923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00AF9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00AF9277
DragFinish.SHELL32(?), ref: 00AF927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00AF9371

Strings

@GUI_DRAGFILE, xrefs: 00AF9320
@GUI_DRAGID, xrefs: 00AF92E9
@GUI_DROPID, xrefs: 00AF929E

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 21df1b5057db15fa4321a21091f810923fb8f61f72ae82c0bb008c35b2fa470a
Instruction ID: efb91645e64adb22607587e5b929b1586938aa58ea8792664ce4d361aca5b4b6
Opcode Fuzzy Hash: 21df1b5057db15fa4321a21091f810923fb8f61f72ae82c0bb008c35b2fa470a
Instruction Fuzzy Hash: 97616A71108305AFC701DFA5DE85EAFBBF8EF98750F100A1DF595921A0DB309A49CB52

Function 00ADC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00ADC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00ADC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00ADC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00ADC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00ADC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00ADC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00ADC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00ADC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00ADC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00ADC5F0
InternetCloseHandle.WININET(00000000), ref: 00ADC5FB

Strings

, xrefs: 00ADC575

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0dd2523e6460dae46573e778e680c3623ad8816e42424d26aea93ca4671d3ede
Instruction ID: 3113316f29f273a1467ea08144a1f7f455ac43033756fcd40c9e453d4858a59d
Opcode Fuzzy Hash: 0dd2523e6460dae46573e778e680c3623ad8816e42424d26aea93ca4671d3ede
Instruction Fuzzy Hash: 6E515AB154020ABFDB21DFA1DA88ABB7BBCFF08764F40451AF94696210DB34E945DB60

Function 00AF856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00AF8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00AF85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00AF85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00AF85BA
GlobalLock.KERNEL32(00000000), ref: 00AF85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00AF85D7
GlobalUnlock.KERNEL32(00000000), ref: 00AF85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00AF85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00AF85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00AFFC38,?), ref: 00AF8611
GlobalFree.KERNEL32(00000000), ref: 00AF8621
GetObjectW.GDI32(?,00000018,?), ref: 00AF8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00AF8671
DeleteObject.GDI32(?), ref: 00AF8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00AF86AF

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1bdad56d6b5a7d19e1c94fed19ad35699f139e2e85bcac2a4f94fcbbb639b628
Instruction ID: 4716ca16aeb2e9b85072b4d2df67a2335a26d064e94fce7a06f30b39cde29081
Opcode Fuzzy Hash: 1bdad56d6b5a7d19e1c94fed19ad35699f139e2e85bcac2a4f94fcbbb639b628
Instruction Fuzzy Hash: CE410975600208AFDB11DFE6CD48EBABBB8EF89761F104158F905EB260DB349902DB60

Function 00AD14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00AD1502
VariantCopy.OLEAUT32(?,?), ref: 00AD150B
VariantClear.OLEAUT32(?), ref: 00AD1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00AD15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00AD1657
VariantInit.OLEAUT32(?), ref: 00AD1708
SysFreeString.OLEAUT32(?), ref: 00AD178C
VariantClear.OLEAUT32(?), ref: 00AD17D8
VariantClear.OLEAUT32(?), ref: 00AD17E7
VariantInit.OLEAUT32(00000000), ref: 00AD1823

Strings

Default, xrefs: 00AD16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00AD1625

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: c856f8542f2b290dd934c2595339f4ed7085e89e84ad85b4672e3ded663f285d
Instruction ID: 1ff28726e7810a9d054a6fe4e9962cff8d0248b472d0aa7d112eb121adafea5c
Opcode Fuzzy Hash: c856f8542f2b290dd934c2595339f4ed7085e89e84ad85b4672e3ded663f285d
Instruction Fuzzy Hash: 62D1ED72A00215FBDB109FA5E989B79B7B5BF45700F10805BF40BAB291DB38ED41DB62

Function 00AEB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEB6AE,?,?), ref: 00AEC9B5
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AEC9F1
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA68
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AEB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AEB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00AEB80A
RegCloseKey.ADVAPI32(?), ref: 00AEB87E
RegCloseKey.ADVAPI32(?), ref: 00AEB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00AEB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AEB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00AEB922
FreeLibrary.KERNEL32(00000000), ref: 00AEB983
RegCloseKey.ADVAPI32(00000000), ref: 00AEB994

Strings

advapi32.dll, xrefs: 00AEB8ED
RegDeleteKeyExW, xrefs: 00AEB8FE

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 0875f6ca92b475afec537006cb5339eb5759b270832d2bbca05c07345b414563
Instruction ID: 702989ea63e0caf1275c25484b088c342da7de3d764d04e13bd3aaf64b476abe
Opcode Fuzzy Hash: 0875f6ca92b475afec537006cb5339eb5759b270832d2bbca05c07345b414563
Instruction Fuzzy Hash: EBC17C30214241AFD710DF65C599F2ABBF5BF84318F14859CE49A8B7A2CB71EC46CBA1

Function 00AE255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AE25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00AE25E8
CreateCompatibleDC.GDI32(?), ref: 00AE25F4
SelectObject.GDI32(00000000,?), ref: 00AE2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00AE266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00AE26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00AE26D0
SelectObject.GDI32(?,?), ref: 00AE26D8
DeleteObject.GDI32(?), ref: 00AE26E1
DeleteDC.GDI32(?), ref: 00AE26E8
ReleaseDC.USER32(00000000,?), ref: 00AE26F3

Strings

(, xrefs: 00AE268D

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 1e31122d271e53dd6da38364e1cb7d7bc6d6df4ff8f3127159f32fad64d74c4c
Instruction ID: bcc2ac73aa54eb0c779d7f0f0b88f88c5010d8b391a6f5c487efeecc7cafc586
Opcode Fuzzy Hash: 1e31122d271e53dd6da38364e1cb7d7bc6d6df4ff8f3127159f32fad64d74c4c
Instruction Fuzzy Hash: F761E175D00219EFCF14CFE9D984AAEBBB9FF48310F208529E955A7250E770A951CF60

Function 00A9DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00A9DAA1

Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D659
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D66B
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D67D
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D68F
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D6A1
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D6B3
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D6C5
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D6D7
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D6E9
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D6FB
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D70D
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D71F
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D731

_free.LIBCMT ref: 00A9DA96

Part of subcall function 00A929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000), ref: 00A929DE
Part of subcall function 00A929C8: GetLastError.KERNEL32(00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000,00000000), ref: 00A929F0

_free.LIBCMT ref: 00A9DAB8
_free.LIBCMT ref: 00A9DACD
_free.LIBCMT ref: 00A9DAD8
_free.LIBCMT ref: 00A9DAFA
_free.LIBCMT ref: 00A9DB0D
_free.LIBCMT ref: 00A9DB1B
_free.LIBCMT ref: 00A9DB26
_free.LIBCMT ref: 00A9DB5E
_free.LIBCMT ref: 00A9DB65
_free.LIBCMT ref: 00A9DB82
_free.LIBCMT ref: 00A9DB9A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1d51f7faf58cad7b3ed1582b1c0a83808bfd06e46d6c3fe5ccdcba8eb6b2baca
Instruction ID: 42ab49157b10d594e6fbcf994a8a16acdd6c4a6fdf0e647dab1c95ad62346bdd
Opcode Fuzzy Hash: 1d51f7faf58cad7b3ed1582b1c0a83808bfd06e46d6c3fe5ccdcba8eb6b2baca
Instruction Fuzzy Hash: 85314832704305AFEF22AB39E945B5ABBE9FF50360F554429E449EB191DF31AC90CB60

Function 00AC365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00AC369C
_wcslen.LIBCMT ref: 00AC36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00AC3797
GetClassNameW.USER32(?,?,00000400), ref: 00AC380C
GetDlgCtrlID.USER32(?), ref: 00AC385D
GetWindowRect.USER32(?,?), ref: 00AC3882
GetParent.USER32(?), ref: 00AC38A0
ScreenToClient.USER32(00000000), ref: 00AC38A7
GetClassNameW.USER32(?,?,00000100), ref: 00AC3921
GetWindowTextW.USER32(?,?,00000400), ref: 00AC395D

Strings

%s%u, xrefs: 00AC3734

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: c9e0c976476dc11c0836b6545d8d66c27a9d59f6a46cf006c0361b1cc7ffe2d3
Instruction ID: 38602f1179101292dd08337edac6a5dbac3d484ac75c0091c25b5bf5bd112fa4
Opcode Fuzzy Hash: c9e0c976476dc11c0836b6545d8d66c27a9d59f6a46cf006c0361b1cc7ffe2d3
Instruction Fuzzy Hash: 1391D172204606AFDB18DF64C995FEAF7A8FF44350F01862DF999D2190DB30EA46CB91

Function 00AC4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00AC4994
GetWindowTextW.USER32(?,?,00000400), ref: 00AC49DA
_wcslen.LIBCMT ref: 00AC49EB
CharUpperBuffW.USER32(?,00000000), ref: 00AC49F7
_wcsstr.LIBVCRUNTIME ref: 00AC4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00AC4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00AC4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00AC4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00AC4B20
GetWindowRect.USER32(?,?), ref: 00AC4B8B

Strings

ThumbnailClass, xrefs: 00AC4A6F, 00AC4AF1

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: fae3d5352e8c9b07d27c64d77d03fbc88b3a6bd5d6479707d7b75421a21d25c0
Instruction ID: ff744903eaf74dde8652971e990f06ac324d5d6cf0bbbc30b76aaaecaa38c1da
Opcode Fuzzy Hash: fae3d5352e8c9b07d27c64d77d03fbc88b3a6bd5d6479707d7b75421a21d25c0
Instruction Fuzzy Hash: AB91FE710082099FDB04DF14CA90FAA7BE8FF88350F05846DFD859A0A6EB30ED45CBA5

Function 00AF8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00AF8D5A
GetFocus.USER32 ref: 00AF8D6A
GetDlgCtrlID.USER32(00000000), ref: 00AF8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00AF8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00AF8ECF
GetMenuItemCount.USER32(?), ref: 00AF8EEC
GetMenuItemID.USER32(?,00000000), ref: 00AF8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00AF8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00AF8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AF8FA1

Strings

0, xrefs: 00AF8E9F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 0bee59e69d4fd09bbef4a3eff5c69e6e0367440c2503aed16d984c20c7a97d3b
Instruction ID: 456b5f07a469311797b15ad1f29cba896b3d21e05590cd450f7810238fbd8c7e
Opcode Fuzzy Hash: 0bee59e69d4fd09bbef4a3eff5c69e6e0367440c2503aed16d984c20c7a97d3b
Instruction Fuzzy Hash: 3381BF715083099FDB10CFA4C984ABBBBE9FF88764F144959FA84D7291DB34D901CBA1

Function 00ACBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00B31990,000000FF,00000000,00000030), ref: 00ACBFAC
SetMenuItemInfoW.USER32(00B31990,00000004,00000000,00000030), ref: 00ACBFE1
Sleep.KERNEL32(000001F4), ref: 00ACBFF3
GetMenuItemCount.USER32(?), ref: 00ACC039
GetMenuItemID.USER32(?,00000000), ref: 00ACC056
GetMenuItemID.USER32(?,-00000001), ref: 00ACC082
GetMenuItemID.USER32(?,?), ref: 00ACC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00ACC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ACC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ACC145

Strings

0, xrefs: 00ACBF3D

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 3e0e1c414e2e5ee1823a727168b41073fc7786ecf5fd508713bda9b0875907ff
Instruction ID: 78f2c6ad2bd9dd3badb99dfb34a240f1b9ca2eadf9eaaf0bdf6ff042a83da9b3
Opcode Fuzzy Hash: 3e0e1c414e2e5ee1823a727168b41073fc7786ecf5fd508713bda9b0875907ff
Instruction Fuzzy Hash: BD617EB090024AAFDF11CFA9DD88FBEBBB8EB05364F15415DE815A3291C735AD45CB60

Function 00ACDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00ACDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00ACDC46
_wcslen.LIBCMT ref: 00ACDC50
_wcsstr.LIBVCRUNTIME ref: 00ACDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00ACDCBC

Strings

04090000, xrefs: 00ACDCF2
StringFileInfo\, xrefs: 00ACDC8F
DefaultLangCodepage, xrefs: 00ACDD1F
\VarFileInfo\Translation, xrefs: 00ACDCB4
%u.%u.%u.%u, xrefs: 00ACDD9A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a278e5879981cde8c7c2c6d11c2582852d8ec248b5119d8a572f67f5683dc119
Instruction ID: b11294fb071c964c3b2e87909f183b067f2f2e426ebb6f3894f1c86d7abb79ea
Opcode Fuzzy Hash: a278e5879981cde8c7c2c6d11c2582852d8ec248b5119d8a572f67f5683dc119
Instruction Fuzzy Hash: 7E411F329402187ADB11B7B5DE43FBF77BCEF41720F1040AAF905A6192EB749A01A7A5

Function 00AECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00AECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00AECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00AECD48

Part of subcall function 00AECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00AECCAA
Part of subcall function 00AECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00AECCBD
Part of subcall function 00AECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AECCCF
Part of subcall function 00AECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00AECD05
Part of subcall function 00AECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00AECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00AECCF3

Strings

advapi32.dll, xrefs: 00AECCB8
RegDeleteKeyExW, xrefs: 00AECCC9

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3f14ce1f2b6eeb6751ef2846405e748f0337628fe5e9dab0de2c54a557477179
Instruction ID: 4418f84a49f841cb6b4929a7d6bbe0acca7cabc5076781d59a9eb112aaa2bb74
Opcode Fuzzy Hash: 3f14ce1f2b6eeb6751ef2846405e748f0337628fe5e9dab0de2c54a557477179
Instruction Fuzzy Hash: C9316C7190112DBBDB20CB96DD88EFFBB7CEF55760F000165A906E3250DA349A47DAA0

Function 00AD3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AD3D40
_wcslen.LIBCMT ref: 00AD3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00AD3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00AD3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00AD3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00AD3E55
CloseHandle.KERNEL32(00000000), ref: 00AD3E60
CloseHandle.KERNEL32(00000000), ref: 00AD3E6B

Strings

:, xrefs: 00AD3D82
\??\%s, xrefs: 00AD3D5B
\, xrefs: 00AD3D77

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b9542b0d2f5b9f9623daed748b2f19fa25bbe5dced08ff4eeced8c5d3e2b8403
Instruction ID: ccedafeb952736e591e81fa5edefe53ef935e7c0b26a99098c6bbcd2fc3f27c0
Opcode Fuzzy Hash: b9542b0d2f5b9f9623daed748b2f19fa25bbe5dced08ff4eeced8c5d3e2b8403
Instruction Fuzzy Hash: 37319E72900209AADB20EBE1DD49FEB37BDEF88750F1041B6F54AD61A0EB709745CB25

Function 00ACE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00ACE6B4

Part of subcall function 00A7E551: timeGetTime.WINMM(?,?,00ACE6D4), ref: 00A7E555

Sleep.KERNEL32(0000000A), ref: 00ACE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00ACE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00ACE727
SetActiveWindow.USER32 ref: 00ACE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00ACE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00ACE773
Sleep.KERNEL32(000000FA), ref: 00ACE77E
IsWindow.USER32 ref: 00ACE78A
EndDialog.USER32(00000000), ref: 00ACE79B

Strings

BUTTON, xrefs: 00ACE719

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 78bc2821d36c8509d76ae44be3a7b2cae161de08f792e19e82ed8a87c8e2a19e
Instruction ID: b487dea8e806db11033aef605aeecb2bc3b82d5a65e807e210a46cb58658d5da
Opcode Fuzzy Hash: 78bc2821d36c8509d76ae44be3a7b2cae161de08f792e19e82ed8a87c8e2a19e
Instruction Fuzzy Hash: EB2181B1200608AFEB00DFA6ED8AF393B69FB54758B215828F405D31B1DF71AC11CA24

Function 00ACE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00ACEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00ACEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ACEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00ACEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00ACEAA7

Strings

close PlayMe, xrefs: 00ACEA6E, 00ACEA9B
play PlayMe wait, xrefs: 00ACEA91
play PlayMe, xrefs: 00ACEAA2
alias PlayMe, xrefs: 00ACEA36
open , xrefs: 00ACEA0C
status PlayMe mode, xrefs: 00ACEA58

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: d565f59f8b0d3a8bf41a67f1cc00a00467b40315b465bdf62a987bbb40f58cef
Instruction ID: 2abec9106aee9bc989d0c9d79415196c46d0a248b3c58b3ca1b107d100874b0c
Opcode Fuzzy Hash: d565f59f8b0d3a8bf41a67f1cc00a00467b40315b465bdf62a987bbb40f58cef
Instruction Fuzzy Hash: 87118671A902697DD720E7A1ED4AEFF6BBCEBD6B40F4004697405A20E1EE701D45C9B0

Function 00AC9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00ACA012
SetKeyboardState.USER32(?), ref: 00ACA07D
GetAsyncKeyState.USER32(000000A0), ref: 00ACA09D
GetKeyState.USER32(000000A0), ref: 00ACA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00ACA0E3
GetKeyState.USER32(000000A1), ref: 00ACA0F4
GetAsyncKeyState.USER32(00000011), ref: 00ACA120
GetKeyState.USER32(00000011), ref: 00ACA12E
GetAsyncKeyState.USER32(00000012), ref: 00ACA157
GetKeyState.USER32(00000012), ref: 00ACA165
GetAsyncKeyState.USER32(0000005B), ref: 00ACA18E
GetKeyState.USER32(0000005B), ref: 00ACA19C

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ad32abe9d2869bec34279b859302d2bee4288f55142c52d5cabbb54b5124f9ed
Instruction ID: 8d704a65e002db1e6cbf3842c54513626aed998538551b83c8cb67934c9b18b7
Opcode Fuzzy Hash: ad32abe9d2869bec34279b859302d2bee4288f55142c52d5cabbb54b5124f9ed
Instruction Fuzzy Hash: 6351972090478C29FB35DBB08515FFBAFB59F21384F09859DD5C25A1C2DA54AE4CC7A2

Function 00AC5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00AC5CE2
GetWindowRect.USER32(00000000,?), ref: 00AC5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00AC5D59
GetDlgItem.USER32(?,00000002), ref: 00AC5D69
GetWindowRect.USER32(00000000,?), ref: 00AC5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00AC5DCF
GetDlgItem.USER32(?,000003E9), ref: 00AC5DDD
GetWindowRect.USER32(00000000,?), ref: 00AC5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00AC5E31
GetDlgItem.USER32(?,000003EA), ref: 00AC5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00AC5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00AC5E67

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9f8a8d89ae674276d700103bbd94022002388fc609d39bdee592fbd1153f7bae
Instruction ID: fc9ca46af783a376447c814c93c2e57752640dbaa3a6b3281baab566e9b0e014
Opcode Fuzzy Hash: 9f8a8d89ae674276d700103bbd94022002388fc609d39bdee592fbd1153f7bae
Instruction Fuzzy Hash: 90511D70E00609AFDF18CFA9DD89EAEBBB5EF48310F158129F516E6290D770AE41CB50

Function 00A78BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A78BE8,?,00000000,?,?,?,?,00A78BBA,00000000,?), ref: 00A78FC5

DestroyWindow.USER32(?), ref: 00A78C81
KillTimer.USER32(00000000,?,?,?,?,00A78BBA,00000000,?), ref: 00A78D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00AB6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00A78BBA,00000000,?), ref: 00AB69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00A78BBA,00000000,?), ref: 00AB69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A78BBA,00000000), ref: 00AB69D4
DeleteObject.GDI32(00000000), ref: 00AB69E6

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 2b12f885e2d689208e0d4ca0c648e5646624d3fc56633bd86f0a9c8ce27838f4
Instruction ID: fae9afee1edc095bc00d26d4e2e25bc5d16a46272b5f8ba0eefbc09972ab6d6c
Opcode Fuzzy Hash: 2b12f885e2d689208e0d4ca0c648e5646624d3fc56633bd86f0a9c8ce27838f4
Instruction Fuzzy Hash: BC618C31142604DFCB32DF59CE58B69B7F5FB40322F24C92CE04697560CB39A986CB90

Function 00A79838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00A79944: GetWindowLongW.USER32(?,000000EB), ref: 00A79952

GetSysColor.USER32(0000000F), ref: 00A79862

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a1bdc93e7c0ac8e288763b7ac7f62ad2e14e7d3f1309e289bdb73e837a30d7db
Instruction ID: f36c8770fd514bd97e3e89a0f9ae0915e31c06d5c71e8199ca91f42502739ec9
Opcode Fuzzy Hash: a1bdc93e7c0ac8e288763b7ac7f62ad2e14e7d3f1309e289bdb73e837a30d7db
Instruction Fuzzy Hash: 7D41B2321046449FDB209FB99C84BBA3BA9AB47331F14C656F9A6872E2C7719C42DB11

Function 00AC96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00AAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00AC9717
LoadStringW.USER32(00000000,?,00AAF7F8,00000001), ref: 00AC9720

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00AAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00AC9742
LoadStringW.USER32(00000000,?,00AAF7F8,00000001), ref: 00AC9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00AC9866

Strings

Error: , xrefs: 00AC981D
Line %d (File "%s"):, xrefs: 00AC978F
Line %d:, xrefs: 00AC97A0
%s (%d) : ==> %s: %s %s, xrefs: 00AC984A
^ ERROR, xrefs: 00AC97FB

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 4d8ff06512ee1740266c7ab9623f77ed657832b72ba5831846f16e481346ff70
Instruction ID: 27cd6766bee6b5e1899443f902b25ef29f036dc0e51823c8863da18503b34d61
Opcode Fuzzy Hash: 4d8ff06512ee1740266c7ab9623f77ed657832b72ba5831846f16e481346ff70
Instruction Fuzzy Hash: AC412872800219AADF04EBE0DF86EEFB778AF55340F210069F60576192EB356F49DB61

Function 00AC06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00AC07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00AC07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00AC07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00AC0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00AC082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AC0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AC083C

Strings

SOFTWARE\Classes\, xrefs: 00AC070E
\CLSID, xrefs: 00AC0724
\IPC$, xrefs: 00AC0784

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 59abb84271318670be2dfca817e942cb2f53aaf4a95a8f949fb69381b63be0fe
Instruction ID: 504215ef2ebe776f3efc3206e8a553ff8b2e56c4cbeb5180fc4564ecfea00fa3
Opcode Fuzzy Hash: 59abb84271318670be2dfca817e942cb2f53aaf4a95a8f949fb69381b63be0fe
Instruction Fuzzy Hash: 76412472C10228EBDF25EBA4DD85DEEB7B8BF14350F154129E905A7160EB30AE05CBA0

Function 00AF3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00AF403B
CreateCompatibleDC.GDI32(00000000), ref: 00AF4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00AF4055
SelectObject.GDI32(00000000,00000000), ref: 00AF405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00AF4068
DeleteDC.GDI32(00000000), ref: 00AF4072
GetWindowLongW.USER32(?,000000EC), ref: 00AF407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00AF4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00AF409E

Strings

static, xrefs: 00AF3FD3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: aad768d1aea2d4f37549270eb2ec8b147fb5f9a60af8ff13998b3f0bb2e90a72
Instruction ID: 9f5e62def472e1c1edfee5c4b99278cd324dda52561ea39e8bcc9a5fc97f9b99
Opcode Fuzzy Hash: aad768d1aea2d4f37549270eb2ec8b147fb5f9a60af8ff13998b3f0bb2e90a72
Instruction Fuzzy Hash: 94313832501219ABDF219FE9CD09FEA3B68EF0D320F110211FA15E61A0CB79D861DB54

Function 00AE3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AE3C5C
CoInitialize.OLE32(00000000), ref: 00AE3C8A
CoUninitialize.OLE32 ref: 00AE3C94
_wcslen.LIBCMT ref: 00AE3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00AE3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00AE3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00AE3F0E
CoGetObject.OLE32(?,00000000,00AFFB98,?), ref: 00AE3F2D
SetErrorMode.KERNEL32(00000000), ref: 00AE3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00AE3FC4
VariantClear.OLEAUT32(?), ref: 00AE3FD8

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a5543e316542f6dd801dfa7289036fb905b5b172a94f7661de9b6fd686011548
Instruction ID: 425934487592df62e466450fea5577b5570f6e14bc3b2d40bc3677cf27056fc1
Opcode Fuzzy Hash: a5543e316542f6dd801dfa7289036fb905b5b172a94f7661de9b6fd686011548
Instruction Fuzzy Hash: B6C14572608245AFCB00DF6AC98892BB7F9FF89744F10495DF98A9B210D731EE05CB52

Function 00AD7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AD7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00AD7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00AD7BA3
CoCreateInstance.OLE32(00AFFD08,00000000,00000001,00B26E6C,?), ref: 00AD7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00AD7C74
CoTaskMemFree.OLE32(?,?), ref: 00AD7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00AD7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00AD7D7A
CoTaskMemFree.OLE32(00000000), ref: 00AD7D81
CoTaskMemFree.OLE32(00000000), ref: 00AD7DD6
CoUninitialize.OLE32 ref: 00AD7DDC

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: da1520413b3c9a8b4a0e83a47dea5572250123f4decaf8b9f9d0ae0261404f28
Instruction ID: 704344b69f14f26fcbd93e290c717902b7d1c5dc62d06c4f1c6825b851568929
Opcode Fuzzy Hash: da1520413b3c9a8b4a0e83a47dea5572250123f4decaf8b9f9d0ae0261404f28
Instruction Fuzzy Hash: AFC10975A04119AFCB14DFA4C988DAEBBF9FF48314B148499E81ADB361D730EE45CB90

Function 00AF541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00AF5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AF5515
CharNextW.USER32(00000158), ref: 00AF5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00AF5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00AF559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AF55AC

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 39b9b270b637880bf146c65491f508faebbbc992d1b505ce9f237a1ec483e0cc
Instruction ID: aac6f29e6b2d05fe1ec4c2c1b35d38b889da7c1df2fe8969f085ed9a0a87df70
Opcode Fuzzy Hash: 39b9b270b637880bf146c65491f508faebbbc992d1b505ce9f237a1ec483e0cc
Instruction Fuzzy Hash: 43614B34D0460CABDF10DFE5CD84AFE7BB9AB05725F108149FB25AA290D7749A81DB60

Function 00ABFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00ABFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00ABFB08
VariantInit.OLEAUT32(?), ref: 00ABFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00ABFB3A
VariantCopy.OLEAUT32(?,?), ref: 00ABFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00ABFBA1
VariantClear.OLEAUT32(?), ref: 00ABFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00ABFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ABFBCC
VariantClear.OLEAUT32(?), ref: 00ABFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ABFBE9

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e46f39bc22b81624fad98e2bda61140be410af3e05fc850206a1ed9937af6bb5
Instruction ID: 67d124a6abdcf3ce548dc3676e37126cceb92b3f6b1396ce1e312e68f24c4548
Opcode Fuzzy Hash: e46f39bc22b81624fad98e2bda61140be410af3e05fc850206a1ed9937af6bb5
Instruction Fuzzy Hash: 1A417235A00219DFCB04DFA9CD589FDBBB9FF08355F048469E856A7262CB30A946CF90

Function 00AC9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00AC9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00AC9D22
GetKeyState.USER32(000000A0), ref: 00AC9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00AC9D57
GetKeyState.USER32(000000A1), ref: 00AC9D6C
GetAsyncKeyState.USER32(00000011), ref: 00AC9D84
GetKeyState.USER32(00000011), ref: 00AC9D96
GetAsyncKeyState.USER32(00000012), ref: 00AC9DAE
GetKeyState.USER32(00000012), ref: 00AC9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00AC9DD8
GetKeyState.USER32(0000005B), ref: 00AC9DEA

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 00a28aad08c9125f7afc3a0cbd873cb7a03e549949ba74f840f0bae63eb42b7b
Instruction ID: 3d75503864a0f1a8ebded6359e96274fe76e9a0e58fd8f61670965c66cb33c4c
Opcode Fuzzy Hash: 00a28aad08c9125f7afc3a0cbd873cb7a03e549949ba74f840f0bae63eb42b7b
Instruction Fuzzy Hash: 5041FC745087C96DFF3187A0940CBB7BEE06F21344F05805ED6C76A5C2DBA499C8C7A2

Function 00AE055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00AE05BC
inet_addr.WSOCK32(?), ref: 00AE061C
gethostbyname.WSOCK32(?), ref: 00AE0628
IcmpCreateFile.IPHLPAPI ref: 00AE0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00AE06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00AE06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00AE07B9
WSACleanup.WSOCK32 ref: 00AE07BF

Strings

Ping, xrefs: 00AE0676

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 7867378207dec5fe5e9d7d728d82237c134b863dc8088cb045c95360c25b8394
Instruction ID: dbe649b1d3951c53ac8d644f83b4cd4abb53d0579fa9b38909265a540e4caec6
Opcode Fuzzy Hash: 7867378207dec5fe5e9d7d728d82237c134b863dc8088cb045c95360c25b8394
Instruction Fuzzy Hash: 7E9180355046419FD720DF16C989F1ABBE0AF44318F1485A9F4A98B6A2C7B0FD85CF91

Function 00AE8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00AE8CF3

Part of subcall function 00AC8E54: _wcslen.LIBCMT ref: 00AC8E77

_wcslen.LIBCMT ref: 00AE8D4E
_wcslen.LIBCMT ref: 00AE8D9C
_wcslen.LIBCMT ref: 00AE8DDC
_wcslen.LIBCMT ref: 00AE8E6E

Strings

none, xrefs: 00AE8E65, 00AE8E6A
cdecl, xrefs: 00AE8D48, 00AE8D4D
winapi, xrefs: 00AE8D96, 00AE8D9B
stdcall, xrefs: 00AE8DD6, 00AE8DDB

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 4d6857c7973bca085872db6c20890ea13927eab20c6812e8d8c9952ba01244dc
Instruction ID: 478c92629f02e1698908bbddf290cf6ed4b1e65dd7f21b565ecf13d61d9d87a1
Opcode Fuzzy Hash: 4d6857c7973bca085872db6c20890ea13927eab20c6812e8d8c9952ba01244dc
Instruction Fuzzy Hash: 2D51A332A005569BCF24DF6DC9809BEB7B5BF64724B214269E42AE72C4DF39DD40C790

Function 00AE372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00AE3774
CoUninitialize.OLE32 ref: 00AE377F
CoCreateInstance.OLE32(?,00000000,00000017,00AFFB78,?), ref: 00AE37D9
IIDFromString.OLE32(?,?), ref: 00AE384C
VariantInit.OLEAUT32(?), ref: 00AE38E4
VariantClear.OLEAUT32(?), ref: 00AE3936

Strings

Invalid parameter, xrefs: 00AE3865
NULL Pointer assignment, xrefs: 00AE381E
Failed to create object, xrefs: 00AE37E4, 00AE389A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 2db0ef682e717c19382a3358f8493bc7c1129b489a987f53a7fbe64b28127ffc
Instruction ID: 3d0813ef7eb73bbdaa482e934e9672b085fff4882b1bee0dd578ea84601b9e43
Opcode Fuzzy Hash: 2db0ef682e717c19382a3358f8493bc7c1129b489a987f53a7fbe64b28127ffc
Instruction Fuzzy Hash: EE61AC72608351AFDB10DF56C988F6ABBF8AF49754F004849F9859B291C770EE48CB92

Function 00AD3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00AD33CF

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00AD33F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00AD3504
Error: , xrefs: 00AD34D1
Line %d (File "%s"):, xrefs: 00AD3443, 00AD345C
^ ERROR , xrefs: 00AD349E
"%s" (%d) : ==> %s:, xrefs: 00AD3522
Incorrect parameters to object property !, xrefs: 00AD34AB

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 45ecb0b75040233e8ef2913ff9309debc6847e801a4423042e2596a40f8de243
Instruction ID: fd9fbbf249d1ff1a7808429df525b130079ba553b90c7e4d18919310be10ca36
Opcode Fuzzy Hash: 45ecb0b75040233e8ef2913ff9309debc6847e801a4423042e2596a40f8de243
Instruction Fuzzy Hash: 91517F72900209BADF15EBE0DE46EEEB7B8AF14340F204465F50A731A1EB312F59DB61

Function 00ACB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00ACB5FC
_wcslen.LIBCMT ref: 00ACB608
_wcslen.LIBCMT ref: 00ACB64D
_wcslen.LIBCMT ref: 00ACB68C
_wcslen.LIBCMT ref: 00ACB6C7

Strings

REMOVE, xrefs: 00ACB602, 00ACB607
EXISTS, xrefs: 00ACB686, 00ACB68B
KEYS, xrefs: 00ACB647, 00ACB64C
APPEND, xrefs: 00ACB6C1, 00ACB6C6

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 7b0714b833459a5cc73ba9020603426abc1b049f5103122e47f07a8ca09ff285
Instruction ID: 546c9d764fa6474bca2862b0ba1caebc1cd5e5b5994e034908a3fe5c46511b0d
Opcode Fuzzy Hash: 7b0714b833459a5cc73ba9020603426abc1b049f5103122e47f07a8ca09ff285
Instruction Fuzzy Hash: 5641E732A110279ACB206F7DC992BBE77B5AF60754F26452DE825D7284E732CD81C7A0

Function 00AD5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AD53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00AD5416
GetLastError.KERNEL32 ref: 00AD5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00AD54A7

Strings

UNKNOWN, xrefs: 00AD5444
NOTREADY, xrefs: 00AD544B
READY, xrefs: 00AD5460, 00AD5468
READONLY, xrefs: 00AD5452
INVALID, xrefs: 00AD5459

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 55a8e97ae0dac87a4b812bb5ff0c2cc8c1b757fe3d44b90887b8f552ecace83f
Instruction ID: fe3ebb20d19431137c82615cbcc1fdacc92ca3949b285ab378645ed3e4fe1024
Opcode Fuzzy Hash: 55a8e97ae0dac87a4b812bb5ff0c2cc8c1b757fe3d44b90887b8f552ecace83f
Instruction Fuzzy Hash: 5F3190B5E006089FD710DF78C584AAABBB5FF45305F14806AE406DB392DB71DD86CB92

Function 00AF3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00AF3C79
SetMenu.USER32(?,00000000), ref: 00AF3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF3D10
IsMenu.USER32(?), ref: 00AF3D24
CreatePopupMenu.USER32 ref: 00AF3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AF3D5B
DrawMenuBar.USER32 ref: 00AF3D63

Strings

0, xrefs: 00AF3C54
F, xrefs: 00AF3D4E

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 645282a4b637078065fed3dbdab8aaa4131fafd4e32c98aa10c08d55e96a1af4
Instruction ID: e847a73ce4a7489a33fa662db68caadca07bc3eab9d90f2f3e0fc38350a7b4c1
Opcode Fuzzy Hash: 645282a4b637078065fed3dbdab8aaa4131fafd4e32c98aa10c08d55e96a1af4
Instruction Fuzzy Hash: 1E416876A01209EFDF14DFA5D944ABA7BB5FF49350F140428FA46A7360D730AA15CF90

Function 00AC1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AC3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00AC1F64
GetDlgCtrlID.USER32 ref: 00AC1F6F
GetParent.USER32 ref: 00AC1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AC1F8E
GetDlgCtrlID.USER32(?), ref: 00AC1F97
GetParent.USER32(?), ref: 00AC1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AC1FAE

Strings

ListBox, xrefs: 00AC1F21
ComboBox, xrefs: 00AC1EEC

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 52ff086772181c51fbadeac9ae9ec9c5f852c23edfea59bcde09f5a9bb076a5f
Instruction ID: a438750da8fd425d5b6bbd50598ebe06b15949420c673eb35b0ae10a612d2b55
Opcode Fuzzy Hash: 52ff086772181c51fbadeac9ae9ec9c5f852c23edfea59bcde09f5a9bb076a5f
Instruction Fuzzy Hash: 6F21C571A00118BBCF04EFE1DD85EFEBBB8EF16310B00415AF955A72A1CB385919DB60

Function 00AC1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AC3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00AC2043
GetDlgCtrlID.USER32 ref: 00AC204E
GetParent.USER32 ref: 00AC206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AC206D
GetDlgCtrlID.USER32(?), ref: 00AC2076
GetParent.USER32(?), ref: 00AC208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AC208D

Strings

ListBox, xrefs: 00AC2002
ComboBox, xrefs: 00AC1FCD

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 0ceac4b55ae72edaff8fc757ed85295c2e3d2b5e5f18da6d28d33d8c5dd472b9
Instruction ID: 499d1c592c0299e13761a173248fd127e47b21ed8fe9fe1365529e4e775c4be8
Opcode Fuzzy Hash: 0ceac4b55ae72edaff8fc757ed85295c2e3d2b5e5f18da6d28d33d8c5dd472b9
Instruction Fuzzy Hash: B421D1B1900218BBCF10EFE0DD85FFEBBB8EF15310F00404AB955A71A1CA798919DB60

Function 00AF3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00AF3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00AF3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00AF3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AF3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00AF3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00AF3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00AF3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00AF3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00AF3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00AF3C13

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a76239c83f7d5b7e64c8806eaa1a6d1f783d9d4386907eb0e15d738541b0027b
Instruction ID: 34535a5b7de34b8f70a1bf715afc7cdbe7d73bb4e143502cd2ef9789e979334e
Opcode Fuzzy Hash: a76239c83f7d5b7e64c8806eaa1a6d1f783d9d4386907eb0e15d738541b0027b
Instruction Fuzzy Hash: B9615875A00248AFDB10DFA8CD81EFE77B8EB09710F104199FA15EB2A1D774AE46DB50

Function 00ACB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00ACB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB165
GetWindowThreadProcessId.USER32(00000000), ref: 00ACB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ACB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB21D

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3dd15c6ded4f3a4a17d8f64bddac0ebe44f61e6053cf0a32fb93a0b5f2765710
Instruction ID: ce53649919f3e3364657f6fb1ef8df08d32ea7bd1aa9c28ad32d87d4ad8d1980
Opcode Fuzzy Hash: 3dd15c6ded4f3a4a17d8f64bddac0ebe44f61e6053cf0a32fb93a0b5f2765710
Instruction Fuzzy Hash: 1831B871120208AFDB209FA5DD5AFBE7BA9AB10761F224008FA00C71A0CBB59E41CF30

Function 00A92C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A92C94

Part of subcall function 00A929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000), ref: 00A929DE
Part of subcall function 00A929C8: GetLastError.KERNEL32(00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000,00000000), ref: 00A929F0

_free.LIBCMT ref: 00A92CA0
_free.LIBCMT ref: 00A92CAB
_free.LIBCMT ref: 00A92CB6
_free.LIBCMT ref: 00A92CC1
_free.LIBCMT ref: 00A92CCC
_free.LIBCMT ref: 00A92CD7
_free.LIBCMT ref: 00A92CE2
_free.LIBCMT ref: 00A92CED
_free.LIBCMT ref: 00A92CFB

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b13ad9ff3c3cd6fc219f56716157d146a181c952f5664f22cf031bb09f2c547f
Instruction ID: ea5ffe68754967c1e3fc19c8643c396bbd7c587f0a40992e19ba1ca96543a8d0
Opcode Fuzzy Hash: b13ad9ff3c3cd6fc219f56716157d146a181c952f5664f22cf031bb09f2c547f
Instruction Fuzzy Hash: 4D116376600108BFCF02EF54DA82EDD3BE5FF45350F5145A5FA489B222DA31EE509B90

Function 00AD7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AD7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD7FC1
GetFileAttributesW.KERNEL32(?), ref: 00AD7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00AD8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AD80B0

Strings

*.*, xrefs: 00AD8066

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 3298b7874098202b0aef1b95d00462d7726d1be216402b7de99792e3212e09e1
Instruction ID: 98d196ecb1e67f989d37114e40cfb5279a75436f9ed8a7133d51fd947b5099fa
Opcode Fuzzy Hash: 3298b7874098202b0aef1b95d00462d7726d1be216402b7de99792e3212e09e1
Instruction Fuzzy Hash: 7581AC725082419BCB28EF55C944AAEB3E8BF88714F54486FF886C7350EB34DD49CB92

Function 00A65BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A65C7A

Part of subcall function 00A65D0A: GetClientRect.USER32(?,?), ref: 00A65D30
Part of subcall function 00A65D0A: GetWindowRect.USER32(?,?), ref: 00A65D71
Part of subcall function 00A65D0A: ScreenToClient.USER32(?,?), ref: 00A65D99

GetDC.USER32 ref: 00AA46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00AA4708
SelectObject.GDI32(00000000,00000000), ref: 00AA4716
SelectObject.GDI32(00000000,00000000), ref: 00AA472B
ReleaseDC.USER32(?,00000000), ref: 00AA4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00AA47C4

Strings

U, xrefs: 00AA4693

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b576478b2c71a1369e667d6f9fee6f30f88e966f6fb5a1cc88d52c25d53de68e
Instruction ID: 5eea5196bd07610c41ca85cfb1e42c97ec575aa88f34a8873a5408dcf68111ff
Opcode Fuzzy Hash: b576478b2c71a1369e667d6f9fee6f30f88e966f6fb5a1cc88d52c25d53de68e
Instruction Fuzzy Hash: 9F71D031800249DFCF21CFA4C984ABA7BB5FF8B360F244269F9555B2A6C7718842DF50

Function 00AD359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00AD35E4

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

LoadStringW.USER32(00B32390,?,00000FFF,?), ref: 00AD360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00AD3724
Error: , xrefs: 00AD36EF
Line %d (File "%s"):, xrefs: 00AD366B
"%s" (%d) : ==> %s:, xrefs: 00AD3742
^ ERROR, xrefs: 00AD36C9

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 62e967e0502a78fe4ac1e50ce108a03a0a18e774e7255cf1bd256b2ddc713482
Instruction ID: 3ef495f169efa79205a7c22de8838ae8e51b095c13234169804a545c873a0bd5
Opcode Fuzzy Hash: 62e967e0502a78fe4ac1e50ce108a03a0a18e774e7255cf1bd256b2ddc713482
Instruction Fuzzy Hash: 83516D72800219BBDF14EBE0DE46EEEBB78AF14300F144165F115762A1EB316B99DFA1

Function 00AF8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

Part of subcall function 00A7912D: GetCursorPos.USER32(?), ref: 00A79141
Part of subcall function 00A7912D: ScreenToClient.USER32(00000000,?), ref: 00A7915E
Part of subcall function 00A7912D: GetAsyncKeyState.USER32(00000001), ref: 00A79183
Part of subcall function 00A7912D: GetAsyncKeyState.USER32(00000002), ref: 00A7919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00AF8B6B
ImageList_EndDrag.COMCTL32 ref: 00AF8B71
ReleaseCapture.USER32 ref: 00AF8B77
SetWindowTextW.USER32(?,00000000), ref: 00AF8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00AF8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00AF8CFF

Strings

@GUI_DRAGFILE, xrefs: 00AF8C9A
@GUI_DROPID, xrefs: 00AF8C51

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 164d4dd7d569d9fb75c0da03da94c33a0eb639db33d5361588ad76e218b213d6
Instruction ID: 907e5d35cec4484d60aa196d2ca17fdaf5fbfa235e09f5f42016c2780bf7498e
Opcode Fuzzy Hash: 164d4dd7d569d9fb75c0da03da94c33a0eb639db33d5361588ad76e218b213d6
Instruction Fuzzy Hash: 2B518C71104308AFD700DF64DE55BBE77E8FB88750F100A29FA56972E1CB749905CB62

Function 00ADC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00ADC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00ADC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00ADC2CA
GetLastError.KERNEL32 ref: 00ADC322
SetEvent.KERNEL32(?), ref: 00ADC336
InternetCloseHandle.WININET(00000000), ref: 00ADC341

Strings

, xrefs: 00ADC2BB

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: efc10af5b52432befb3c919ce98f8d0fc416da8997f060dd628a2eb280265255
Instruction ID: 33edf4f73a3ed01a7737522e887434acec9099ce947d5de1f0253c3813b75e73
Opcode Fuzzy Hash: efc10af5b52432befb3c919ce98f8d0fc416da8997f060dd628a2eb280265255
Instruction Fuzzy Hash: 35316DB1500209AFD721EFA58988ABBBBFCEB49764B50851EF44797300DB34DD05DB60

Function 00AC989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00AA3AAF,?,?,Bad directive syntax error,00AFCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00AC98BC
LoadStringW.USER32(00000000,?,00AA3AAF,?), ref: 00AC98C3

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00AC9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00AC98F1
Line %d (File "%s"):, xrefs: 00AC992D
., xrefs: 00AC996D
Line %d:, xrefs: 00AC9912
Error: , xrefs: 00AC9955

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 21ee1e9321b41f78ba3eb90ebcbcae205c3a2ad5e3e2cb50d791c8c62c09b8c9
Instruction ID: 05ef66f524332e057bb5610e8012cbfae81ea861083d7a9ee48fbc72257a7a69
Opcode Fuzzy Hash: 21ee1e9321b41f78ba3eb90ebcbcae205c3a2ad5e3e2cb50d791c8c62c09b8c9
Instruction Fuzzy Hash: DF21483280021EBBCF15EF90CE0AEEE7779BF18700F044469F519661A2EB71AA18DB51

Function 00AC209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00AC20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00AC20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AC214D

Strings

largeicons, xrefs: 00AC20E1
smallicons, xrefs: 00AC2115
list, xrefs: 00AC212F
details, xrefs: 00AC20FB
SHELLDLL_DefView, xrefs: 00AC20CC

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: bf1fbc1f0116f62e4e15740bc793a65205e9b1b993c2afeda5b2909535e44301
Instruction ID: c5bc98a7f94b4d69df3bfd342ec01fff2bef66f07c0767085795c5c52be9f61f
Opcode Fuzzy Hash: bf1fbc1f0116f62e4e15740bc793a65205e9b1b993c2afeda5b2909535e44301
Instruction Fuzzy Hash: 32110676688717B9FA157720EC0AFF677DCCF08364B21026AFB08A90E1FE7568025B14

Function 00A98D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f546d52bc3da439050a4a16f369fa7dad23fb82e00e9ddb4ec6cf972a7129b26
Instruction ID: 93999cdf417a280b20ea1728a18cac12e5e9498f78d28fe1625adbcc9238ed60
Opcode Fuzzy Hash: f546d52bc3da439050a4a16f369fa7dad23fb82e00e9ddb4ec6cf972a7129b26
Instruction Fuzzy Hash: 80C1CF74F04249AFDF11EFACC941BAEBBF0BF1A310F144199E425A7292DB349941CB61

Function 00A9CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00A9CEB7
_free.LIBCMT ref: 00A9CF22
_free.LIBCMT ref: 00A9CF48
_free.LIBCMT ref: 00A9CF71
_free.LIBCMT ref: 00A9CFA9
_free.LIBCMT ref: 00A9CFDA
_free.LIBCMT ref: 00A9D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00A9D09C
_free.LIBCMT ref: 00A9D0B5

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 8f2ccba669d2326cb6c46a05dff52dc7ca187c163f377bce4ac79a8dfd41ffd7
Instruction ID: d3e7ce50ddb9d82db3f42da2d7ca2da66df810c12aba70ae9f4e25b955734c76
Opcode Fuzzy Hash: 8f2ccba669d2326cb6c46a05dff52dc7ca187c163f377bce4ac79a8dfd41ffd7
Instruction Fuzzy Hash: DD613471B08701AFDF21AFB89991B6E7BE5EF05360F14416DF945A7282EB31AD018790

Function 00AF50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00AF5186
ShowWindow.USER32(?,00000000), ref: 00AF51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00AF51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00AF51D1

Part of subcall function 00AF6FBA: DeleteObject.GDI32(00000000), ref: 00AF6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00AF520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AF521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00AF524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00AF5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00AF5296

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 205210811185de1aa32fbedd40363c7c339d539a7618aa873e0f5005ae04dea5
Instruction ID: 9e86b67800709bce4d9e1fb4523ac2961a5d5aad03e05306fc998bb6c0cc6e17
Opcode Fuzzy Hash: 205210811185de1aa32fbedd40363c7c339d539a7618aa873e0f5005ae04dea5
Instruction Fuzzy Hash: D0516D30E40A0CBEEF24AFB9CD45BF93B65AF05361F148212F715962E0C775A980DB44

Function 00A78B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00AB6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00AB68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00AB68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00AB68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00AB68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A78874,00000000,00000000,00000000,000000FF,00000000), ref: 00AB6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00AB691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A78874,00000000,00000000,00000000,000000FF,00000000), ref: 00AB692D

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a777896c7836c37c31cb39ee7d60db5c9141071b5bbd9ac60b9655e4f58d75cf
Instruction ID: 02c3c980c958aa8abcb4d1d6e0ee72187c6ff771e035225db40a77e94f2261ab
Opcode Fuzzy Hash: a777896c7836c37c31cb39ee7d60db5c9141071b5bbd9ac60b9655e4f58d75cf
Instruction Fuzzy Hash: 83519D70640209EFDB20CF65CC55FAE7BB9FB88760F108518F94A972A0DB74E951DB50

Function 00ADC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00ADC182
GetLastError.KERNEL32 ref: 00ADC195
SetEvent.KERNEL32(?), ref: 00ADC1A9

Part of subcall function 00ADC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00ADC272
Part of subcall function 00ADC253: GetLastError.KERNEL32 ref: 00ADC322
Part of subcall function 00ADC253: SetEvent.KERNEL32(?), ref: 00ADC336
Part of subcall function 00ADC253: InternetCloseHandle.WININET(00000000), ref: 00ADC341

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 65356b7cd43ca9c1acbe9e8b108d7021becd4f7e5aa85ac17ebd954bba76a9a3
Instruction ID: c0ea84ca6ba427da65d92fa1a1249a2d5aa6276d30a419a56283c3c767f33ebb
Opcode Fuzzy Hash: 65356b7cd43ca9c1acbe9e8b108d7021becd4f7e5aa85ac17ebd954bba76a9a3
Instruction Fuzzy Hash: 47318971200706AFDB21AFE69E44AB6BBF8FF18320B50451EF95782710D730E815DBA0

Function 00AC25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC3A57
Part of subcall function 00AC3A3D: GetCurrentThreadId.KERNEL32 ref: 00AC3A5E
Part of subcall function 00AC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AC25B3), ref: 00AC3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00AC25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00AC25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00AC25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AC25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00AC2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00AC2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AC260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00AC2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00AC2627

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2d1158755f78487a7a7cbcb00add81681df5b4202a5cd4231aa3fb316e09bf92
Instruction ID: e3ef3b652270ce7f33b1209545d3772a310f9b64ad3244ce36b17e496e8b9b5c
Opcode Fuzzy Hash: 2d1158755f78487a7a7cbcb00add81681df5b4202a5cd4231aa3fb316e09bf92
Instruction Fuzzy Hash: 5401D431394228BBFB10A7A99C8AF693F59DF4EB62F110015F318AE0D1C9F26455CA69

Function 00AC1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00AC1449,?,?,00000000), ref: 00AC180C
HeapAlloc.KERNEL32(00000000,?,00AC1449,?,?,00000000), ref: 00AC1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AC1449,?,?,00000000), ref: 00AC1828
GetCurrentProcess.KERNEL32(?,00000000,?,00AC1449,?,?,00000000), ref: 00AC1830
DuplicateHandle.KERNEL32(00000000,?,00AC1449,?,?,00000000), ref: 00AC1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AC1449,?,?,00000000), ref: 00AC1843
GetCurrentProcess.KERNEL32(00AC1449,00000000,?,00AC1449,?,?,00000000), ref: 00AC184B
DuplicateHandle.KERNEL32(00000000,?,00AC1449,?,?,00000000), ref: 00AC184E
CreateThread.KERNEL32(00000000,00000000,00AC1874,00000000,00000000,00000000), ref: 00AC1868

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 4286858005cbf25e4ed39550c39ddfa996af6d05185e5a758dc64c93f1eb2413
Instruction ID: cf0a30254df6a9f5c45a111cc1a3bd18b0a7abea9ef549c5eb5d9895ed993ca3
Opcode Fuzzy Hash: 4286858005cbf25e4ed39550c39ddfa996af6d05185e5a758dc64c93f1eb2413
Instruction Fuzzy Hash: 3401BBB5240308BFE710EBE6DD4DF6B7BACEB89B51F014511FA05DB1A2CA709811DB64

Function 00AEA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00ACD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00ACD501
Part of subcall function 00ACD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00ACD50F
Part of subcall function 00ACD4DC: CloseHandle.KERNELBASE(00000000), ref: 00ACD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AEA16D
GetLastError.KERNEL32 ref: 00AEA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AEA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00AEA268
GetLastError.KERNEL32(00000000), ref: 00AEA273
CloseHandle.KERNEL32(00000000), ref: 00AEA2C4

Strings

SeDebugPrivilege, xrefs: 00AEA18F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 922144f86d4f70f9f94c7c724cbcd8a2a006384197a72947355d9395c7735845
Instruction ID: 6d1301d6af1ebb181e4b2a84a51e9c4737fa5a557bf13a86e25a21af21e0ba6f
Opcode Fuzzy Hash: 922144f86d4f70f9f94c7c724cbcd8a2a006384197a72947355d9395c7735845
Instruction Fuzzy Hash: DE619C302042829FD710DF56C594F65BBE1AF54318F15848CE5668B7A3C772FC45CB92

Function 00AF3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00AF3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00AF393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00AF3954
_wcslen.LIBCMT ref: 00AF3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00AF39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00AF39F4

Strings

SysListView32, xrefs: 00AF38F7

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: cf892c13c97bc8be7590d10a4be78582ddc81a2b396bbe9fcc11f3eece7ee5d2
Instruction ID: e5f9c28ea403d5e6a6a38a5bc5e5a803eec7a98fd798d402a7395e609a393fb7
Opcode Fuzzy Hash: cf892c13c97bc8be7590d10a4be78582ddc81a2b396bbe9fcc11f3eece7ee5d2
Instruction Fuzzy Hash: 1F419572A0021DABDF21DFA4CC45BFE77A9EF08350F100566FA58E7291D7B59980CB90

Function 00ACBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ACBCFD
IsMenu.USER32(00000000), ref: 00ACBD1D
CreatePopupMenu.USER32 ref: 00ACBD53
GetMenuItemCount.USER32(00BA5260), ref: 00ACBDA4
InsertMenuItemW.USER32(00BA5260,?,00000001,00000030), ref: 00ACBDCC

Strings

0, xrefs: 00ACBCA8
2, xrefs: 00ACBD37

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 3accdde7cdcbc0b01020fa5136a4db4bcb93db864312a986dba2addfb4f656da
Instruction ID: 529aee040690b630dcd040bd7f3afe1a3bd35b1a00e87380971a229088f4addf
Opcode Fuzzy Hash: 3accdde7cdcbc0b01020fa5136a4db4bcb93db864312a986dba2addfb4f656da
Instruction Fuzzy Hash: 7751DD70A102099BDF12CFA8D986FAEBBF8BF45324F15415DE412AB290D7729941CB71

Function 00ACC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00ACC913

Strings

warning, xrefs: 00ACC8FC
info, xrefs: 00ACC8B4
question, xrefs: 00ACC8CC
stop, xrefs: 00ACC8E4
blank, xrefs: 00ACC895

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: edf90dd44fb1e64a5dfebeb57aa51ae8d67e3ea8007ad5657e5eafc44f80df70
Instruction ID: a6312391e6610c088e930b4fd850f997904737d787d1bed43c6a271eb9b01bc6
Opcode Fuzzy Hash: edf90dd44fb1e64a5dfebeb57aa51ae8d67e3ea8007ad5657e5eafc44f80df70
Instruction Fuzzy Hash: 8F112032689317BAE705AB54ED83EAF77ECDF15374B11006EF908A62D2E7709D005365

Function 00ACDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00ACDE42
gethostname.WSOCK32(?,00000100), ref: 00ACDE5C
gethostbyname.WSOCK32(?), ref: 00ACDE69
inet_ntoa.WSOCK32(?), ref: 00ACDEAB
_strcat.LIBCMT ref: 00ACDEB9
WSACleanup.WSOCK32 ref: 00ACDEDE

Strings

0.0.0.0, xrefs: 00ACDE87

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 3c0bfb47797e37c6eec2768a43e4af7084ad03c9a784496406afe26dc64440bb
Instruction ID: 98763ea2b2738e3a5df616fd2ee24ab212c7f6e19284b3283887eb102500eb51
Opcode Fuzzy Hash: 3c0bfb47797e37c6eec2768a43e4af7084ad03c9a784496406afe26dc64440bb
Instruction Fuzzy Hash: 7811E731504119AFCB20BBA1DD0AEEE77ACDB14720F02017AF5099A091EF708A81CB90

Function 00AF9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

GetSystemMetrics.USER32(0000000F), ref: 00AF9FC7
GetSystemMetrics.USER32(0000000F), ref: 00AF9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00AFA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00AFA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00AFA263
ShowWindow.USER32(00000003,00000000), ref: 00AFA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00AFA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00AFA2CA

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 02fce76ce6249213d46fe37d0acc9a7d1e308a4a6ca6560eadef23f45f35dbf6
Instruction ID: 7620204dd14dc440f4c354f02786822e29284258207ac18fcfcc7dc1fe006a86
Opcode Fuzzy Hash: 02fce76ce6249213d46fe37d0acc9a7d1e308a4a6ca6560eadef23f45f35dbf6
Instruction Fuzzy Hash: 64B1B871600219DBCF14CFA8C9847FE7BB2BF54701F19816AFE499B2A5DB31A940CB51

Function 00ACED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00ACED2A
_wcslen.LIBCMT ref: 00ACED3B
_wcslen.LIBCMT ref: 00ACED79
_wcslen.LIBCMT ref: 00ACEDAF
_wcslen.LIBCMT ref: 00ACEDDF
_wcslen.LIBCMT ref: 00ACEDEF
_wcslen.LIBCMT ref: 00ACEE2B
_wcslen.LIBCMT ref: 00ACEE5A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 18308e1af98ab8c71cd1553544c5e5d649fe33136cf0e99e54ef9473b54000d8
Instruction ID: 2db960d7e88ce01bc39631e51b44cccae1fb17cf0276320cade837cba96c28f1
Opcode Fuzzy Hash: 18308e1af98ab8c71cd1553544c5e5d649fe33136cf0e99e54ef9473b54000d8
Instruction Fuzzy Hash: 4B419075C1021876DB21FBF4898AECFB7ACAF45710F508466E528E3162FB34E255C3A6

Function 00A7F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AB682C,00000004,00000000,00000000), ref: 00A7F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00AB682C,00000004,00000000,00000000), ref: 00ABF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AB682C,00000004,00000000,00000000), ref: 00ABF454

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 37f299730a5052ea5450de51e322a46877a61acd875ab71644ad4133ac441b01
Instruction ID: 2bea815704c49c154273956f83bd10c7ae18cc790635147e6c769cbd39930d67
Opcode Fuzzy Hash: 37f299730a5052ea5450de51e322a46877a61acd875ab71644ad4133ac441b01
Instruction Fuzzy Hash: 1C414D31208640BEC7349B7DCD987BA7BE5AB46320F18C53CE26F57561D631AA81CB11

Function 00AF2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00AF2D1B
GetDC.USER32(00000000), ref: 00AF2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AF2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00AF2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00AF2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AF2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00AF5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00AF2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00AF2DE1

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: f6e0d015c52b154959cecd1049cc51a462be4f159ac5dce5eea2398c4cbd5c10
Instruction ID: 2f46e9836b35ac324fa32a868853d6816c9465c7c858949490cb8d35b8a417d7
Opcode Fuzzy Hash: f6e0d015c52b154959cecd1049cc51a462be4f159ac5dce5eea2398c4cbd5c10
Instruction Fuzzy Hash: 40316B72201618BBEB118F91CD8AFFB3BA9EF09725F044055FE08DA291C6759C51CBA4

Function 00AC5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00AC5637
_memcmp.LIBVCRUNTIME ref: 00AC5659
_memcmp.LIBVCRUNTIME ref: 00AC5671
_memcmp.LIBVCRUNTIME ref: 00AC5684
_memcmp.LIBVCRUNTIME ref: 00AC569E
_memcmp.LIBVCRUNTIME ref: 00AC56B1
_memcmp.LIBVCRUNTIME ref: 00AC56C9
_memcmp.LIBVCRUNTIME ref: 00AC56E4

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5a41b558491564930436a3443f63ee87e181357de916687b530cca8ef43bfef4
Instruction ID: dd418ac82d1fc40226d2dc196f101e24dcc17972d8318f5238c5c2fbb07c43af
Opcode Fuzzy Hash: 5a41b558491564930436a3443f63ee87e181357de916687b530cca8ef43bfef4
Instruction Fuzzy Hash: B321A771E40A197BD614A6318E82FBA335CFF21384F490428FE049E581FB21FD9282A9

Function 00AE4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00AE5007
NULL Pointer assignment, xrefs: 00AE502E, 00AE5383

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 51571380d6f5cd5f1ab359c8071116e0b7bcb7a67aa2f7640b74131ff8d13103
Instruction ID: f22627fe173b9db778488b33145abc43deefa1e4ea282ecfd3daab344124d874
Opcode Fuzzy Hash: 51571380d6f5cd5f1ab359c8071116e0b7bcb7a67aa2f7640b74131ff8d13103
Instruction Fuzzy Hash: F1D10371E0064AAFDF10CFA9D880FAEB7B5BF48348F148169E915AB281E370DD41CB90

Function 00AA1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00AA17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00AA15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AA1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00AA17FB,?,00AA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AA16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AA16FB

Part of subcall function 00A93820: RtlAllocateHeap.NTDLL(00000000,?,00B31444,?,00A7FDF5,?,?,00A6A976,00000010,00B31440,00A613FC,?,00A613C6,?,00A61129), ref: 00A93852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00AA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AA1777
__freea.LIBCMT ref: 00AA17A2
__freea.LIBCMT ref: 00AA17AE

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0deb1882c196499c2bfe473a42852a06fc7229ce110c209e91ef0dbe5027b62b
Instruction ID: 9e0ceb9b2616b95ddb0b5b5014961ac597fe149a6cda3f4beafd9f3151e6f957
Opcode Fuzzy Hash: 0deb1882c196499c2bfe473a42852a06fc7229ce110c209e91ef0dbe5027b62b
Instruction Fuzzy Hash: 62919272E00216BADF259FA4C981EEEBBF59F4A710F184659E802E71C1EB35DD41CB60

Function 00AE4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AE4648
VariantInit.OLEAUT32(?), ref: 00AE4749
VariantClear.OLEAUT32(?), ref: 00AE4753
VariantClear.OLEAUT32(?), ref: 00AE47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00AE45D8, 00AE4706, 00AE47BE
Incorrect Object type in FOR..IN loop, xrefs: 00AE472C

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 709bfcac3ac9386c7d0bfc21c164db9345bbf79975a90994698e1947364f9e60
Instruction ID: d818940bd6670d1cc4f3bedc275ddcdb55b6a2cc74978ea0e2fca82f47f60d4d
Opcode Fuzzy Hash: 709bfcac3ac9386c7d0bfc21c164db9345bbf79975a90994698e1947364f9e60
Instruction Fuzzy Hash: 13917071A00259AFDF20CFA6D848FAEBBBCEF4A715F108559F505AB280D7709945CFA0

Function 00AD1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00AD125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AD1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00AD12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AD12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AD135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AD13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AD1430

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 0f24225026d54f0b0e8d098d636a16081386a3df5727f7d674bdaf2221908d80
Instruction ID: 2cd327d90aebae3ddac9f0c449dae288cdcdb71a9dd232d2ac50fcb4c7338e62
Opcode Fuzzy Hash: 0f24225026d54f0b0e8d098d636a16081386a3df5727f7d674bdaf2221908d80
Instruction Fuzzy Hash: 9591D2B5A00208AFDB00DF98C884BFEB7B5FF45725F10442AE912EB391D775A941CB90

Function 00A7948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b8aaef6ee87b6e87da27ff61e4310d8ce2181ac353738d4d6f4a2b4364839ccd
Instruction ID: ed86776b2b7ad15a6912babe9139210514b004203f4b5a7db44eecd689771354
Opcode Fuzzy Hash: b8aaef6ee87b6e87da27ff61e4310d8ce2181ac353738d4d6f4a2b4364839ccd
Instruction Fuzzy Hash: 5E912771D40219EFCB10CFA9CD84AEEBBB8FF89320F148556E519B7251D774A942CB60

Function 00AE3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AE396B
CharUpperBuffW.USER32(?,?), ref: 00AE3A7A
_wcslen.LIBCMT ref: 00AE3A8A
VariantClear.OLEAUT32(?), ref: 00AE3C1F

Part of subcall function 00AD0CDF: VariantInit.OLEAUT32(00000000), ref: 00AD0D1F
Part of subcall function 00AD0CDF: VariantCopy.OLEAUT32(?,?), ref: 00AD0D28
Part of subcall function 00AD0CDF: VariantClear.OLEAUT32(?), ref: 00AD0D34

Strings

Incorrect Parameter format, xrefs: 00AE39A6, 00AE3BA1
AUTOIT.ERROR, xrefs: 00AE3A80, 00AE3A85

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: f94eab05540040e8ac25b863bec3437f788c5fa79668738b6b67869247f4a36a
Instruction ID: c7fdfa4114ae5bb2f15bb0bd3a301f1e292f6afd7b6388f7e81393a7b5477586
Opcode Fuzzy Hash: f94eab05540040e8ac25b863bec3437f788c5fa79668738b6b67869247f4a36a
Instruction Fuzzy Hash: 009155756083459FCB00EF29C58496AB7F4BF88314F14886EF88A9B351DB31EE45CB92

Function 00AE4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00AC000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?,?,00AC035E), ref: 00AC002B
Part of subcall function 00AC000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?), ref: 00AC0046
Part of subcall function 00AC000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?), ref: 00AC0054
Part of subcall function 00AC000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?), ref: 00AC0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00AE4C51
_wcslen.LIBCMT ref: 00AE4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00AE4DCF
CoTaskMemFree.OLE32(?), ref: 00AE4DDA

Strings

NULL Pointer assignment, xrefs: 00AE4E23, 00AE4E52

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 0441bd31074c30c21736e8cd3633edf5168c6d0111bb96b03107a9fe5aeb1099
Instruction ID: e74cd04cda2f549df8b824f0c1702bad10630df5d60ce033377a4b13c83adcb5
Opcode Fuzzy Hash: 0441bd31074c30c21736e8cd3633edf5168c6d0111bb96b03107a9fe5aeb1099
Instruction Fuzzy Hash: 10910571D0025DAFDF14DFA5C991AEEB7B8BF08310F10816AE919B7251EB709A45CFA0

Function 00AF20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00AF2183
GetMenuItemCount.USER32(00000000), ref: 00AF21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00AF21DD
_wcslen.LIBCMT ref: 00AF2213
GetMenuItemID.USER32(?,?), ref: 00AF224D
GetSubMenu.USER32(?,?), ref: 00AF225B

Part of subcall function 00AC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC3A57
Part of subcall function 00AC3A3D: GetCurrentThreadId.KERNEL32 ref: 00AC3A5E
Part of subcall function 00AC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AC25B3), ref: 00AC3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00AF22E3

Part of subcall function 00ACE97B: Sleep.KERNEL32 ref: 00ACE9F3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 8985dafd70f5d1245e9df4a695ec540f3e6b0fbd92ff7531264b20ff5ecd07bf
Instruction ID: 85a5d8b222cf3af3e697c892eb9d9d98704e4b2c311b07f21ca7d42a5849dec0
Opcode Fuzzy Hash: 8985dafd70f5d1245e9df4a695ec540f3e6b0fbd92ff7531264b20ff5ecd07bf
Instruction Fuzzy Hash: 25715D75A00209AFCB10EFA5C945BBEB7B5EF48320F148459F956EB351DB34AE41CB90

Function 00AF7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00BA5238), ref: 00AF7F37
IsWindowEnabled.USER32(00BA5238), ref: 00AF7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00AF801E
SendMessageW.USER32(00BA5238,000000B0,?,?), ref: 00AF8051
IsDlgButtonChecked.USER32(?,?), ref: 00AF8089
GetWindowLongW.USER32(00BA5238,000000EC), ref: 00AF80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00AF80C3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b1fc982988f388540a43fe88fa83a07b06cd8c0a23aec19eaf4d52b0dafda4ad
Instruction ID: af0e3989eb5cc6c15ddc3c17882b4b97aee8cc904bc8c140bd28594423286cc1
Opcode Fuzzy Hash: b1fc982988f388540a43fe88fa83a07b06cd8c0a23aec19eaf4d52b0dafda4ad
Instruction Fuzzy Hash: D6716934608209AFEB21DFE4C984FFEBBB9EF09310F144559FA45972A1CB35A845DB20

Function 00ACAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00ACAEF9
GetKeyboardState.USER32(?), ref: 00ACAF0E
SetKeyboardState.USER32(?), ref: 00ACAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00ACAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00ACAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00ACAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00ACB020

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 538966e3546781b54948154ef4d083f7767bab947322f7c1edd0825740846827
Instruction ID: 4cd291e4525a667534a484607d590957c8318bb9c0872dc199f358773431be72
Opcode Fuzzy Hash: 538966e3546781b54948154ef4d083f7767bab947322f7c1edd0825740846827
Instruction Fuzzy Hash: 0051B4A06147D93DFB3693348C46FBA7EE95B06308F09858DE1E5954C3C3A9ACC4D7A2

Function 00ACACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00ACAD19
GetKeyboardState.USER32(?), ref: 00ACAD2E
SetKeyboardState.USER32(?), ref: 00ACAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00ACADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00ACADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00ACAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00ACAE38

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a5f8bbf36e9fb31baa41f81b8311d092c167db5247145f6ee77aa0f8044ebb8b
Instruction ID: 1396518a7b02a5d2d3866c0c513895fa32df572e361282c4eecd325fcc0ac787
Opcode Fuzzy Hash: a5f8bbf36e9fb31baa41f81b8311d092c167db5247145f6ee77aa0f8044ebb8b
Instruction Fuzzy Hash: C85108A16087E93DFB3383748C45FBA7EA85B55308F09848CE1D6968C3D394EC84D7A2

Function 00A9542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00AA3CD6,?,?,?,?,?,?,?,?,00A95BA3,?,?,00AA3CD6,?,?), ref: 00A95470
__fassign.LIBCMT ref: 00A954EB
__fassign.LIBCMT ref: 00A95506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00AA3CD6,00000005,00000000,00000000), ref: 00A9552C
WriteFile.KERNEL32(?,00AA3CD6,00000000,00A95BA3,00000000,?,?,?,?,?,?,?,?,?,00A95BA3,?), ref: 00A9554B
WriteFile.KERNEL32(?,?,00000001,00A95BA3,00000000,?,?,?,?,?,?,?,?,?,00A95BA3,?), ref: 00A95584

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1cd4473e5a0e3f400c0c7c8da519c540f39ebebcccc1e2de5c6944736d273d89
Instruction ID: 23cb0cade102f39bea666cddf28f8a49a24c2e90559f19065d77df4863534a62
Opcode Fuzzy Hash: 1cd4473e5a0e3f400c0c7c8da519c540f39ebebcccc1e2de5c6944736d273d89
Instruction Fuzzy Hash: 6451A071E006499FDF11CFB8D886AEEBBF9EF09310F15411AE955E7292D630AA41CB60

Function 00A82D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A82D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00A82D53
_ValidateLocalCookies.LIBCMT ref: 00A82DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00A82E0C
_ValidateLocalCookies.LIBCMT ref: 00A82E61

Strings

csm, xrefs: 00A82DF6

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 820a2d1a8f35b24985264a6adf7fb2f97d4ed56f5b142f08487184dabcad0fb2
Instruction ID: 572586017095165f2e6e70019413f4a4b2e2275f5f15a421f7cee20a88fa87e7
Opcode Fuzzy Hash: 820a2d1a8f35b24985264a6adf7fb2f97d4ed56f5b142f08487184dabcad0fb2
Instruction Fuzzy Hash: 5E418E35A00209ABCF10FF68C845BAEBFF5BF45324F148155E815AB392D775AA15CBD0

Function 00AE10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE304E: inet_addr.WSOCK32(?), ref: 00AE307A
Part of subcall function 00AE304E: _wcslen.LIBCMT ref: 00AE309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00AE1112
WSAGetLastError.WSOCK32 ref: 00AE1121
WSAGetLastError.WSOCK32 ref: 00AE11C9
closesocket.WSOCK32(00000000), ref: 00AE11F9

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4d3206935512ea0df6ea33bf929c2a7b4b12015f45e326ef3fa15e1be5238136
Instruction ID: d10786f31a6e479884e8428fd3c3a58c5b8d22e1f6bd798a5dcbebea8436bfe5
Opcode Fuzzy Hash: 4d3206935512ea0df6ea33bf929c2a7b4b12015f45e326ef3fa15e1be5238136
Instruction Fuzzy Hash: 2641F231600258AFDB10DF96C984BAABBF9EF45364F14815DF9069B291D770AD82CBE0

Function 00ACCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ACDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ACCF22,?), ref: 00ACDDFD

Part of subcall function 00ACDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ACCF22,?), ref: 00ACDE16

lstrcmpiW.KERNEL32(?,?), ref: 00ACCF45
MoveFileW.KERNEL32(?,?), ref: 00ACCF7F
_wcslen.LIBCMT ref: 00ACD005
_wcslen.LIBCMT ref: 00ACD01B
SHFileOperationW.SHELL32(?), ref: 00ACD061

Strings

\*.*, xrefs: 00ACCFF3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 28dd0d16f9d49d166b4666801899609aabb6f45dcaf52224d4e64a0c9b3e1f5e
Instruction ID: ec21312582e6c287fd9937727672fc4b5e49d83270f8c00bb7da42866e5c2e7a
Opcode Fuzzy Hash: 28dd0d16f9d49d166b4666801899609aabb6f45dcaf52224d4e64a0c9b3e1f5e
Instruction Fuzzy Hash: A24156719052185FDF12EBA4CA81FDEB7B8AF08790F0100EEE509EB141EB34AB45CB50

Function 00AF2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00AF2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00AF2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00AF2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00AF2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00AF2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00AF2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AF2F0B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 1613df7f7c2c77853cb3188b87ae68f281e2448aee29f12280607eddf1d3f9f2
Instruction ID: 32c130e23678d5a2757145192d35b80f04a10b49cac9f30ff86611aa45cc6543
Opcode Fuzzy Hash: 1613df7f7c2c77853cb3188b87ae68f281e2448aee29f12280607eddf1d3f9f2
Instruction Fuzzy Hash: D031F230644258AFEB21CF99DD84F693BE5EB9A720F250164FA00CF2B1CB71A842DB41

Function 00AC7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC778F
SysAllocString.OLEAUT32(00000000), ref: 00AC7792
SysAllocString.OLEAUT32(?), ref: 00AC77B0
SysFreeString.OLEAUT32(?), ref: 00AC77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00AC77DE
SysAllocString.OLEAUT32(?), ref: 00AC77EC

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: cd70e9afc1ce4e7fbde894a9b78990730801b21ac9583a9e60e14a044f084fee
Instruction ID: 4dfa55c7ad9ba838f76e8a87eff929abedc849e41ec0b460ce86d5e2a6bcf357
Opcode Fuzzy Hash: cd70e9afc1ce4e7fbde894a9b78990730801b21ac9583a9e60e14a044f084fee
Instruction Fuzzy Hash: 1E21AE7660821DAFDB10DFE9CD88EBF73ACEB09364B018029BA15DB190D670DD46CB64

Function 00AC77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC7868
SysAllocString.OLEAUT32(00000000), ref: 00AC786B
SysAllocString.OLEAUT32 ref: 00AC788C
SysFreeString.OLEAUT32 ref: 00AC7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00AC78AF
SysAllocString.OLEAUT32(?), ref: 00AC78BD

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2e502900cfa1e4b555645d65dee82933d2cefaa5fba653d620c22ace37d93dcd
Instruction ID: 8e29dc7ced4fa5806e08b6d4cb83ca25b485f0a6d2dd431ddd5baf738cb08f83
Opcode Fuzzy Hash: 2e502900cfa1e4b555645d65dee82933d2cefaa5fba653d620c22ace37d93dcd
Instruction Fuzzy Hash: E4213136608108AFDB109BE9DC8DEBA77ACEB097607118129BA15CB2A1D674DD81CB64

Function 00AD04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00AD04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AD052E

Strings

nul, xrefs: 00AD0567

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 47e6fd38338d672b8706e37cf4ddf04856018bc25a35679074f1dd20a32144ae
Instruction ID: 5ed9420905cddf04f6cd0c1fde3351cb9b1778beb917c8e4094cbbe2011198eb
Opcode Fuzzy Hash: 47e6fd38338d672b8706e37cf4ddf04856018bc25a35679074f1dd20a32144ae
Instruction Fuzzy Hash: 5C215175500305DBDB209F69E845F9A7BB4AF54724F208A1AECA2D72E0D7709951DF20

Function 00AD05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00AD05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AD0601

Strings

nul, xrefs: 00AD0639

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 98b8b433b35bd0be1b6fa31600619fc16f75b14aa42769a2838465c974c85390
Instruction ID: f8f91dec83f58b7941f6a1ee30263c0f577519b66da67f7de7def33c9f513c89
Opcode Fuzzy Hash: 98b8b433b35bd0be1b6fa31600619fc16f75b14aa42769a2838465c974c85390
Instruction Fuzzy Hash: CE2141755003059BDB209FB99C04FAA77E4AF95730F204A1AE8A2E73E0D7B0D961CB10

Function 00AF40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A6604C
Part of subcall function 00A6600E: GetStockObject.GDI32(00000011), ref: 00A66060
Part of subcall function 00A6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A6606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00AF4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00AF411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00AF412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00AF4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00AF4145

Strings

Msctls_Progress32, xrefs: 00AF40E3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 9acfa58fe6d6f2e50d4e86aa6004b674f703eaebec71eb6c0097f58c1a6ac5e2
Instruction ID: cb08e0ee55a5a57a4b16080a035c90dbb406ccb6681722460d36a75b3a079be4
Opcode Fuzzy Hash: 9acfa58fe6d6f2e50d4e86aa6004b674f703eaebec71eb6c0097f58c1a6ac5e2
Instruction Fuzzy Hash: C91181B114011DBEEB119FA4CC85EE77F6DEF08798F014210BB18A2050CB769C21DBA4

Function 00A9D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A9D7A3: _free.LIBCMT ref: 00A9D7CC

_free.LIBCMT ref: 00A9D82D

Part of subcall function 00A929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000), ref: 00A929DE
Part of subcall function 00A929C8: GetLastError.KERNEL32(00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000,00000000), ref: 00A929F0

_free.LIBCMT ref: 00A9D838
_free.LIBCMT ref: 00A9D843
_free.LIBCMT ref: 00A9D897
_free.LIBCMT ref: 00A9D8A2
_free.LIBCMT ref: 00A9D8AD
_free.LIBCMT ref: 00A9D8B8

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: fe4601f8410f3cdb21a18289550167bf4bea5452f9918721f7e9aca1bd6509cc
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D9111971A40B04BADE21FFF0CE47FCB7BDCAF44700F404825B29DAA492DA65B58587A0

Function 00ACDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00ACDA74
LoadStringW.USER32(00000000), ref: 00ACDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00ACDA91
LoadStringW.USER32(00000000), ref: 00ACDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00ACDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00ACDAB9

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f31fdf9ce42e562646bcc1f05c5b0777b1fe9ea9a9287271730a25b9e5f9c55d
Instruction ID: 211a004823ac1260cd8994d3b5aa45f5db3cc9e49b10a9c88091a7aa7d10ac76
Opcode Fuzzy Hash: f31fdf9ce42e562646bcc1f05c5b0777b1fe9ea9a9287271730a25b9e5f9c55d
Instruction Fuzzy Hash: CA014FF250020C7BE750EBE19E89EF7726CE708711F4005A5B75AE6041E6749E858B74

Function 00AD096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00B9EF98,00B9EF98), ref: 00AD097B
EnterCriticalSection.KERNEL32(00B9EF78,00000000), ref: 00AD098D
TerminateThread.KERNEL32(?,000001F6), ref: 00AD099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00AD09A9
CloseHandle.KERNEL32(?), ref: 00AD09B8
InterlockedExchange.KERNEL32(00B9EF98,000001F6), ref: 00AD09C8
LeaveCriticalSection.KERNEL32(00B9EF78), ref: 00AD09CF

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6b8e5334814a25fe7676ee3bbfee189d921d440d8abada9d4e3896784ab0f927
Instruction ID: eb79743ca82f5ca3e06a4f27097ad205f6fd3b3d6a74baecd673d17e780837fe
Opcode Fuzzy Hash: 6b8e5334814a25fe7676ee3bbfee189d921d440d8abada9d4e3896784ab0f927
Instruction Fuzzy Hash: ADF01D31442516ABD741ABD5EF88BE6BA25FF01752F401116F202908A0C7749466DF90

Function 00AE1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00AE1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00AE1DE1
WSAGetLastError.WSOCK32 ref: 00AE1DF2
htons.WSOCK32(?), ref: 00AE1EDB
inet_ntoa.WSOCK32(?), ref: 00AE1E8C

Part of subcall function 00AC39E8: _strlen.LIBCMT ref: 00AC39F2

Part of subcall function 00AE3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00ADEC0C), ref: 00AE3240

_strlen.LIBCMT ref: 00AE1F35

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 924ffa22982a66dd7d66e6d052470f09593abf619e53413b114ae23b0bff783c
Instruction ID: 0908039efbb48fabc014d830b8a91837047287daa845ab0b2f95f220d9129006
Opcode Fuzzy Hash: 924ffa22982a66dd7d66e6d052470f09593abf619e53413b114ae23b0bff783c
Instruction Fuzzy Hash: 12B1EF31204390AFC324DF65C995E6A7BF5AF84318F54894CF45A9B2E2DB31ED82CB91

Function 00A65D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00A65D30
GetWindowRect.USER32(?,?), ref: 00A65D71
ScreenToClient.USER32(?,?), ref: 00A65D99
GetClientRect.USER32(?,?), ref: 00A65ED7
GetWindowRect.USER32(?,?), ref: 00A65EF8

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 0d62e51eaf5a50a3a4faaddb1201a622b66a41d337d15c94cfa8bda9af9328bc
Instruction ID: db5b68f56e4604204e2d4fcb12b9e62abe326a405d37f73c8f02417d7b5e25ad
Opcode Fuzzy Hash: 0d62e51eaf5a50a3a4faaddb1201a622b66a41d337d15c94cfa8bda9af9328bc
Instruction Fuzzy Hash: F1B16634A00A4ADBDB10CFB9C4807EEB7F1FF58310F14841AE8AAD7290DB34AA51DB50

Function 00A901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00A900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A900D6
__allrem.LIBCMT ref: 00A900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A9010B
__allrem.LIBCMT ref: 00A90122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A90140

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 7667c941e70cd3931d3bf8a719b00badaeef74e52737a1af453351a89ebb5eef
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 0681D276B00706AFEB24AF68CD41B6B73E9AF41764F24463AF651D7681E770DD008B90

Function 00A961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A882D9,00A882D9,?,?,?,00A9644F,00000001,00000001,8BE85006), ref: 00A96258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A9644F,00000001,00000001,8BE85006,?,?,?), ref: 00A962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A963D8
__freea.LIBCMT ref: 00A963E5

Part of subcall function 00A93820: RtlAllocateHeap.NTDLL(00000000,?,00B31444,?,00A7FDF5,?,?,00A6A976,00000010,00B31440,00A613FC,?,00A613C6,?,00A61129), ref: 00A93852

__freea.LIBCMT ref: 00A963EE
__freea.LIBCMT ref: 00A96413

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 88976c192539c9451789c1807b5215cf3b2970a39a89d69e1e08293a909a02aa
Instruction ID: 315b9abaed4db5bf1991206097b3ffa74e8e1436b9039cd2e91081bebb996ae0
Opcode Fuzzy Hash: 88976c192539c9451789c1807b5215cf3b2970a39a89d69e1e08293a909a02aa
Instruction Fuzzy Hash: 0B519F72B00216ABEF268FA4DD81EAF7BE9EF44750F154629FC05DA190EB34DC50D6A0

Function 00AEBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEB6AE,?,?), ref: 00AEC9B5
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AEC9F1
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA68
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AEBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AEBD25
RegCloseKey.ADVAPI32(00000000), ref: 00AEBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00AEBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AEBDF3
RegCloseKey.ADVAPI32(?), ref: 00AEBDFF

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 7ba0ec7be2c64125449e8c5f3fc34aaccc853539e7b53ed4258db9c6dcc022d1
Instruction ID: da9c2e5b7612aeda68481c7cf0451881d911aa788ef12f8e81d1162566cdefa0
Opcode Fuzzy Hash: 7ba0ec7be2c64125449e8c5f3fc34aaccc853539e7b53ed4258db9c6dcc022d1
Instruction Fuzzy Hash: CE818B30118281AFD714DF65C995E2BBBF5BF84308F14895CF45A8B2A2DB31ED45CBA2

Function 00ABF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00ABF7B9
SysAllocString.OLEAUT32(00000001), ref: 00ABF860
VariantCopy.OLEAUT32(00ABFA64,00000000), ref: 00ABF889
VariantClear.OLEAUT32(00ABFA64), ref: 00ABF8AD
VariantCopy.OLEAUT32(00ABFA64,00000000), ref: 00ABF8B1
VariantClear.OLEAUT32(?), ref: 00ABF8BB

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 379010c82a52fb0848457a3cf362ab41dc5c36bfccad0cafee342599b25c1884
Instruction ID: 8a4fe08dfcd49a8fb80818a1bc8b8d8df7e970444c987bccc24a569c8696f5ab
Opcode Fuzzy Hash: 379010c82a52fb0848457a3cf362ab41dc5c36bfccad0cafee342599b25c1884
Instruction Fuzzy Hash: 5451A131610310BECF24ABA5DD95BA9B3BCAF45710B289467E906DF297DB708C40C796

Function 00AD910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00A67620: _wcslen.LIBCMT ref: 00A67625

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00AD94E5
_wcslen.LIBCMT ref: 00AD9506
_wcslen.LIBCMT ref: 00AD952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00AD9585

Strings

X, xrefs: 00AD9412

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: ff6655fd606ff7d4e7999fd6a0d4524e1dbf5890d6385ec553d6407857084d64
Instruction ID: b4c54237f874dce5f23976d007bd3a75f13e9a26bf6114da26a00c2b528f8732
Opcode Fuzzy Hash: ff6655fd606ff7d4e7999fd6a0d4524e1dbf5890d6385ec553d6407857084d64
Instruction Fuzzy Hash: 8BE16F716043019FD724EF24C981A6BB7F4BF85314F14896DE89A9B3A2DB31DD05CB92

Function 00A7920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

BeginPaint.USER32(?,?,?), ref: 00A79241
GetWindowRect.USER32(?,?), ref: 00A792A5
ScreenToClient.USER32(?,?), ref: 00A792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A792D3
EndPaint.USER32(?,?,?,?,?), ref: 00A79321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00AB71EA

Part of subcall function 00A79339: BeginPath.GDI32(00000000), ref: 00A79357

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 7c9d1c4b031064e8199ac4fa10620cbf81f70829e7ab16b3e78b33aa628f3f24
Instruction ID: 874d5591447d572f8445298dd93ad0d192cdec01191006cdff9517329a185df5
Opcode Fuzzy Hash: 7c9d1c4b031064e8199ac4fa10620cbf81f70829e7ab16b3e78b33aa628f3f24
Instruction Fuzzy Hash: 9941B231104200AFD711DF69DC84FBB7BBCEB85320F14866AF9698B2B2C7719846DB61

Function 00AD07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00AD080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00AD0847
EnterCriticalSection.KERNEL32(?), ref: 00AD0863
LeaveCriticalSection.KERNEL32(?), ref: 00AD08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00AD08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00AD0921

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 4ee7823d3a245cc2455eb10749b641ba0f96d63dd75756f07d624008f05c8ec8
Instruction ID: 5ae702a2cba5b5834bbef1211477022e0044435943c7408c828335f1650cf9fe
Opcode Fuzzy Hash: 4ee7823d3a245cc2455eb10749b641ba0f96d63dd75756f07d624008f05c8ec8
Instruction Fuzzy Hash: 8D416A71900205EFDF14EF94DD85AAAB7B8FF04310F1480A5ED059A296DB30DE65DBA4

Function 00AF81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00ABF3AB,00000000,?,?,00000000,?,00AB682C,00000004,00000000,00000000), ref: 00AF824C
EnableWindow.USER32(?,00000000), ref: 00AF8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00AF82D1
ShowWindow.USER32(?,00000004), ref: 00AF82E5
EnableWindow.USER32(?,00000001), ref: 00AF830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00AF832F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a9964d6499e44b17dba2181a7bd086db79e7d20269b192973a441be92e34d923
Instruction ID: e1e2c96f29be75933a97e8b404a05dc968ef78a63a54ee4b878f34c2338b6b34
Opcode Fuzzy Hash: a9964d6499e44b17dba2181a7bd086db79e7d20269b192973a441be92e34d923
Instruction Fuzzy Hash: 6B419434601648EFDB21CF95C999BF87BE0BB4A714F184269F6184F272CB35A846CF50

Function 00AC4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00AC4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AC4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AC4CEA
_wcslen.LIBCMT ref: 00AC4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00AC4D10
_wcsstr.LIBVCRUNTIME ref: 00AC4D1A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: bbf505591d842494c13b572a713c97bff74a1bfbad9dfcafc4f6860982885c4d
Instruction ID: 75e357521a3f7d3229281164275530619e7612d02a72855cafdfb895f6801d04
Opcode Fuzzy Hash: bbf505591d842494c13b572a713c97bff74a1bfbad9dfcafc4f6860982885c4d
Instruction Fuzzy Hash: 34212C312082047BEB16AB799D15F7B7BACDF49760F11802DF809CA191EA65CD01C360

Function 00AD581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A63A97,?,?,00A62E7F,?,?,?,00000000), ref: 00A63AC2

_wcslen.LIBCMT ref: 00AD587B
CoInitialize.OLE32(00000000), ref: 00AD5995
CoCreateInstance.OLE32(00AFFCF8,00000000,00000001,00AFFB68,?), ref: 00AD59AE
CoUninitialize.OLE32 ref: 00AD59CC

Strings

.lnk, xrefs: 00AD5876, 00AD58C1, 00AD5985

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: f482de1b2dc6abd9ebd39a4b2f9c0f4a7b58c94bcf5c56a0fb4d7af408494693
Instruction ID: 8074840db0d27ed981602f25be89609430fb5460572f508753be8d8ba6d40422
Opcode Fuzzy Hash: f482de1b2dc6abd9ebd39a4b2f9c0f4a7b58c94bcf5c56a0fb4d7af408494693
Instruction Fuzzy Hash: 0DD14371A087019FC714DF24C594A2ABBF5EF89724F14885AF88A9B361DB31EC45CB92

Function 00AC175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AC0FCA
Part of subcall function 00AC0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AC0FD6
Part of subcall function 00AC0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AC0FE5
Part of subcall function 00AC0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AC0FEC
Part of subcall function 00AC0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AC1002

GetLengthSid.ADVAPI32(?,00000000,00AC1335), ref: 00AC17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AC17BA
HeapAlloc.KERNEL32(00000000), ref: 00AC17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00AC17DA
GetProcessHeap.KERNEL32(00000000,00000000,00AC1335), ref: 00AC17EE
HeapFree.KERNEL32(00000000), ref: 00AC17F5

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f0ef1593e46e77ab2d79e45ca6546a5a42a9c7991271c79024136598acd2bd4b
Instruction ID: b33011680cdc8db7650911e23fef2d385bc54ce03cd0c1ee90ef283a3c7dbae2
Opcode Fuzzy Hash: f0ef1593e46e77ab2d79e45ca6546a5a42a9c7991271c79024136598acd2bd4b
Instruction Fuzzy Hash: 82118632600209EFDB20DBE5CD49FAE7BA9EF42365F11411CE481A7212D736A956CB60

Function 00AC14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AC14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00AC1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00AC1515
CloseHandle.KERNEL32(00000004), ref: 00AC1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AC154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00AC1563

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b7d33f781740ce9862d7e03b3ece3d31a622e1a1a5f119e5d55e49f0c79f130e
Instruction ID: 9a28b38b601e19c6a89d4ab3b797ac329dbfc48e6c5a854f7def0dfa452ae5e8
Opcode Fuzzy Hash: b7d33f781740ce9862d7e03b3ece3d31a622e1a1a5f119e5d55e49f0c79f130e
Instruction Fuzzy Hash: D6115C7260020DABDF11CFD4DE49FEE7BA9EF49754F054018FA05A2160C3758E65EB60

Function 00A83382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A83379,00A82FE5), ref: 00A83390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A8339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A833B7
SetLastError.KERNEL32(00000000,?,00A83379,00A82FE5), ref: 00A83409

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1963f33a663ed7e0a0d4b1c2f33a65da6b017c9aebf5279d42b660cd4ae7d4a0
Instruction ID: 4d49bd342606898cc1e1692b7aaab21b47d1500ab2fb8ba8414e4d27d3688371
Opcode Fuzzy Hash: 1963f33a663ed7e0a0d4b1c2f33a65da6b017c9aebf5279d42b660cd4ae7d4a0
Instruction Fuzzy Hash: AA01D433609311BEEF263BB9BD85A6B2E94EB05B797200339F4108A1F1EF114E039784

Function 00A92D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A95686,00AA3CD6,?,00000000,?,00A95B6A,?,?,?,?,?,00A8E6D1,?,00B28A48), ref: 00A92D78
_free.LIBCMT ref: 00A92DAB
_free.LIBCMT ref: 00A92DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00A8E6D1,?,00B28A48,00000010,00A64F4A,?,?,00000000,00AA3CD6), ref: 00A92DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00A8E6D1,?,00B28A48,00000010,00A64F4A,?,?,00000000,00AA3CD6), ref: 00A92DEC
_abort.LIBCMT ref: 00A92DF2

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2b8ce340d08762890d3c97ed89f3029f743dfaa892b63673d05a20f9ddd6bc5d
Instruction ID: 5f3faa49935969a12a6028a52e78830fdcf9f272f1eef60c7c66615297c34b0a
Opcode Fuzzy Hash: 2b8ce340d08762890d3c97ed89f3029f743dfaa892b63673d05a20f9ddd6bc5d
Instruction Fuzzy Hash: 87F0C83674560037DE22B775BE06F6F25E9AFD17F1F254519F824E61D2EE24880243A0

Function 00AF8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00A79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A79693
Part of subcall function 00A79639: SelectObject.GDI32(?,00000000), ref: 00A796A2
Part of subcall function 00A79639: BeginPath.GDI32(?), ref: 00A796B9
Part of subcall function 00A79639: SelectObject.GDI32(?,00000000), ref: 00A796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00AF8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00AF8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00AF8A70
LineTo.GDI32(?,00000000,00000003), ref: 00AF8A80
EndPath.GDI32(?), ref: 00AF8A90
StrokePath.GDI32(?), ref: 00AF8AA0

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 245b5b0036e9ea40542c81f74697adcfed438090476c8c38a2b063ec3a0278ed
Instruction ID: cf94214ee304c02424a48c78bd3a86952f66a86c0f92dcca02a17ab7311c1b2a
Opcode Fuzzy Hash: 245b5b0036e9ea40542c81f74697adcfed438090476c8c38a2b063ec3a0278ed
Instruction Fuzzy Hash: 42110C7600010DFFDB119FD5DD48EAA7F6CEB04364F008112BA1996161CB719D56DB60

Function 00AC51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AC5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00AC5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AC5230
ReleaseDC.USER32(00000000,00000000), ref: 00AC5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00AC524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00AC5261

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 451e1ae228812cd422e7c3ad1a30be5f73c4cac075578c20642444081dd024f1
Instruction ID: 69244c6737585e605db59a8a12401a65cb1289c1ddc0ecba96ef298597fa7bff
Opcode Fuzzy Hash: 451e1ae228812cd422e7c3ad1a30be5f73c4cac075578c20642444081dd024f1
Instruction Fuzzy Hash: 87012C75E04618BBEB109BF69D49F9EBFA8EF48761F044065FA04E7281DA709905CBA0

Function 00A61BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A61BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A61BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A61C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A61C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A61C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A61C22

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3a418c546e4582516dccff2d25567350e770ce8a0cd5e6f9a1af2277e5ab82ef
Instruction ID: 0858b7ec24208f36791056db2f9e5847d1483f8d792f85e0317b81a21ce3913b
Opcode Fuzzy Hash: 3a418c546e4582516dccff2d25567350e770ce8a0cd5e6f9a1af2277e5ab82ef
Instruction Fuzzy Hash: 6D016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 00ACEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00ACEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00ACEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00ACEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ACEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ACEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ACEB75

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: eb0e76a7f5156e775630e9c943991a3fed2226ad762ec5f75976447d76568d6c
Instruction ID: aeba630241e70f8a415163ff2692c6af2dd5bcd13c3f1dcdb79b67f59eaf450a
Opcode Fuzzy Hash: eb0e76a7f5156e775630e9c943991a3fed2226ad762ec5f75976447d76568d6c
Instruction Fuzzy Hash: 01F01772240158BBE7219BE39D0EEFB7A7CEFCAB61F004258F601D50919BA45A02D6B5

Function 00AB7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00AB7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00AB7469
GetWindowDC.USER32(?), ref: 00AB7475
GetPixel.GDI32(00000000,?,?), ref: 00AB7484
ReleaseDC.USER32(?,00000000), ref: 00AB7496
GetSysColor.USER32(00000005), ref: 00AB74B0

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 5b3fba60a7f946f2ad9f48be4e448a0fffc0868da595405f55b3c9467a69a794
Instruction ID: ffbe8daf3e33f0acfe9647ff66394b25d35e0fcdb4bd61fee24bd262ba1931e1
Opcode Fuzzy Hash: 5b3fba60a7f946f2ad9f48be4e448a0fffc0868da595405f55b3c9467a69a794
Instruction Fuzzy Hash: 0D018631404209EFEB619FE5DE08BFE7BB9FB04322F204160F916A21A1CB311E52EB10

Function 00AC1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AC187F
UnloadUserProfile.USERENV(?,?), ref: 00AC188B
CloseHandle.KERNEL32(?), ref: 00AC1894
CloseHandle.KERNEL32(?), ref: 00AC189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00AC18A5
HeapFree.KERNEL32(00000000), ref: 00AC18AC

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f3a3bb0e3713e32c57209b2e514306b62885a1cb17f402bc7504eaf8502a3a09
Instruction ID: 595139bbd60864d5dce90c531f7cbffb2c09d2bd3099dce4b6ad2ea61f8d1dd3
Opcode Fuzzy Hash: f3a3bb0e3713e32c57209b2e514306b62885a1cb17f402bc7504eaf8502a3a09
Instruction Fuzzy Hash: 2EE0C236004109BBDA01ABE2EE0CD1ABF29FF49B72B108220F22585070CB329432EB54

Function 00ACC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A67620: _wcslen.LIBCMT ref: 00A67625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ACC6EE
_wcslen.LIBCMT ref: 00ACC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ACC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00ACC7CA

Strings

0, xrefs: 00ACC6AF

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 715863fd8cb63232697f3bce417d801f60292ed0ff1cdd524bbd7bde83958b27
Instruction ID: 83e4f3264f72b1456b2e5240146f1d12e5154f1a88be64515b31b731613ea452
Opcode Fuzzy Hash: 715863fd8cb63232697f3bce417d801f60292ed0ff1cdd524bbd7bde83958b27
Instruction Fuzzy Hash: 6351CB726183009BD714DF28CA85F6BB7E8EF89324F054A2DF999E71A1DB70D904CB52

Function 00AEAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00AEAEA3

Part of subcall function 00A67620: _wcslen.LIBCMT ref: 00A67625

GetProcessId.KERNEL32(00000000), ref: 00AEAF38
CloseHandle.KERNEL32(00000000), ref: 00AEAF67

Strings

<, xrefs: 00AEAE6B
@, xrefs: 00AEAE72

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 3022fd66d7be243ed431a20b3c18df968939623583b6b1a0dfeb085be0413f44
Instruction ID: 1f6b03ece572357c3d62ae7355d1a83c22bac7211e339b541f71bcea846a7557
Opcode Fuzzy Hash: 3022fd66d7be243ed431a20b3c18df968939623583b6b1a0dfeb085be0413f44
Instruction Fuzzy Hash: CD71AC71A00258DFCB14DF95C584A9EBBF0FF08314F048499E81AAB3A2CB74ED45CB91

Function 00AC719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AC7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AC723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AC724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AC72CF

Strings

DllGetClassObject, xrefs: 00AC7242

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 1494fa6c9391037600e601ace3ded41efb26dc2168a1812bc123e9fb0dda2f7d
Instruction ID: 92f2f21db3a85347cab989d3a349ebd77d14c57951dcb884d1cbd029afe971b2
Opcode Fuzzy Hash: 1494fa6c9391037600e601ace3ded41efb26dc2168a1812bc123e9fb0dda2f7d
Instruction Fuzzy Hash: 7C412971A04204AFDB15CF94C984FAE7BA9EF44710F2680ADBD099F20AD7B1D945CFA0

Function 00AF3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF3E35
IsMenu.USER32(?), ref: 00AF3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AF3E92
DrawMenuBar.USER32 ref: 00AF3EA5

Strings

0, xrefs: 00AF3D89

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 6cf57ff732b5b08826286c534411485004be363c942bb275cb12987ee438d30e
Instruction ID: 9446b94311da53f4635c4337e480af2633120d03824a8f4491abbd61278c8bbb
Opcode Fuzzy Hash: 6cf57ff732b5b08826286c534411485004be363c942bb275cb12987ee438d30e
Instruction Fuzzy Hash: 7C411576A0120DAFDF10DF95D884AEABBF9FF49364F044129FA15AB250D730AE45CB50

Function 00AC1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AC3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AC1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AC1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00AC1EA9

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

Strings

ListBox, xrefs: 00AC1E25
ComboBox, xrefs: 00AC1DF0

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: e4dd7bfa5f14e09ac9c08afe0df6b4e9c055e775401c7651064edd420316f0fd
Instruction ID: ee6cb842196c5685d36d037e5a0ec14c9aa2b2ca786511ac898907bf0f2781c9
Opcode Fuzzy Hash: e4dd7bfa5f14e09ac9c08afe0df6b4e9c055e775401c7651064edd420316f0fd
Instruction Fuzzy Hash: CA212771A00108BFDB14ABA5DE45EFFB7B8EF46360B10851DF825E71E2DB38490AD620

Function 00AF2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00AF2F8D
LoadLibraryW.KERNEL32(?), ref: 00AF2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00AF2FA9
DestroyWindow.USER32(?), ref: 00AF2FB1

Strings

SysAnimate32, xrefs: 00AF2F68

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: e74246813e4155f6fe5df550138e9a1e1653aee861c589db5b5f7c64bd2a12cd
Instruction ID: 24656e3f1ad14ae42591184aad6e6a4ab058141b641c65ff20eaf057f1c9b407
Opcode Fuzzy Hash: e74246813e4155f6fe5df550138e9a1e1653aee861c589db5b5f7c64bd2a12cd
Instruction Fuzzy Hash: CA219D7122420DABEB219FE4DC80FBB77BDEB59364F104628FA50D61A0D771DC619760

Function 00A84D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A84D1E,00A928E9,?,00A84CBE,00A928E9,00B288B8,0000000C,00A84E15,00A928E9,00000002), ref: 00A84D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A84DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00A84D1E,00A928E9,?,00A84CBE,00A928E9,00B288B8,0000000C,00A84E15,00A928E9,00000002,00000000), ref: 00A84DC3

Strings

CorExitProcess, xrefs: 00A84D98
mscoree.dll, xrefs: 00A84D86

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 967adc2f741801cd95da72ec07fe0970480f072c93b1e6c56d56e2412483dfb4
Instruction ID: 5961c24dd4b8eaf930ed199524ed01b22485d71ea064b77035c412dcc915c4bb
Opcode Fuzzy Hash: 967adc2f741801cd95da72ec07fe0970480f072c93b1e6c56d56e2412483dfb4
Instruction Fuzzy Hash: 94F04F34A4020DBBDB11AFD1DD49BAEBFF5EF48761F0001A4F805A26A0CB745D55CB95

Function 00A64E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A64EDD,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A64EAE
FreeLibrary.KERNEL32(00000000,?,?,00A64EDD,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64EC0

Strings

kernel32.dll, xrefs: 00A64E94
Wow64DisableWow64FsRedirection, xrefs: 00A64EA8

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 17fd1b17e7aae4cd5ed7aa128b3a07aa8642c794ef26b72b90c481417c4c6b9e
Instruction ID: 41ce3b2583e22eacbea81ae779015487ed46138f9babeed7aaa6e4a586c1af7f
Opcode Fuzzy Hash: 17fd1b17e7aae4cd5ed7aa128b3a07aa8642c794ef26b72b90c481417c4c6b9e
Instruction Fuzzy Hash: 28E0CD35E055365BD23157A67D18BBF65B4BF85F727050215FD04D2114DB68CD02C0A4

Function 00A64E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AA3CDE,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A64E74
FreeLibrary.KERNEL32(00000000,?,?,00AA3CDE,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64E87

Strings

kernel32.dll, xrefs: 00A64E5B
Wow64RevertWow64FsRedirection, xrefs: 00A64E6E

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 05c23ff113ed9d0ed6dea11b191bf8f28c5b53ab70df4dd581fd31274a5e5321
Instruction ID: 9432a9389c164b5be8b00d99c6eb1301546d8de55fe70c2c201f70a01fa87571
Opcode Fuzzy Hash: 05c23ff113ed9d0ed6dea11b191bf8f28c5b53ab70df4dd581fd31274a5e5321
Instruction Fuzzy Hash: 15D02B395026366BC6321BA67C1CDEF6A38BF89F313050711F904E2110CF25CD12C1D4

Function 00AD2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AD2C05
DeleteFileW.KERNEL32(?), ref: 00AD2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AD2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AD2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AD2CC0

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 0e61be4b6648318593664d9e34c3eaf1a2cf011618d8405d816375359d0f58f8
Instruction ID: 78b6e65603bd6b37875f9a95d2b3f4cbea6d72aaf3a976bd25d9f2828e53346c
Opcode Fuzzy Hash: 0e61be4b6648318593664d9e34c3eaf1a2cf011618d8405d816375359d0f58f8
Instruction Fuzzy Hash: 3FB13D72D00119ABDF21EBA4CD85EEEB7BDEF59350F1040A6F50AE7251EA309A44CB61

Function 00AEA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00AEA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00AEA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00AEA468
CloseHandle.KERNEL32(?), ref: 00AEA63D

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 8d3ffde947c9f494a154fa47ba82cb5972154e0bdcb5449bbde44eefe77b6618
Instruction ID: 9fe0de3c928b5a39f7fd8dede2c4bcae09269e7841c017482f43751a96f62589
Opcode Fuzzy Hash: 8d3ffde947c9f494a154fa47ba82cb5972154e0bdcb5449bbde44eefe77b6618
Instruction Fuzzy Hash: 10A1BE71604300AFD720DF29C986F2AB7E1AF94714F14885DF59A9B292D7B0EC41CB92

Function 00A9BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B03700), ref: 00A9BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00B3121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00A9BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00B31270,000000FF,?,0000003F,00000000,?), ref: 00A9BC36
_free.LIBCMT ref: 00A9BB7F

Part of subcall function 00A929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000), ref: 00A929DE
Part of subcall function 00A929C8: GetLastError.KERNEL32(00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000,00000000), ref: 00A929F0

_free.LIBCMT ref: 00A9BD4B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: fb88a3f545fec061d8f8ae9072bcf4a9e31f70cb2541e3c90e7cbce89ef07e9f
Instruction ID: e4a3014fd828ea43e9b63ff3a3d5372a0e6d2f57db54fab67e87be5a92bca391
Opcode Fuzzy Hash: fb88a3f545fec061d8f8ae9072bcf4a9e31f70cb2541e3c90e7cbce89ef07e9f
Instruction Fuzzy Hash: C751C971A10209EFCF10EF69AE819AFB7FCEF44760B10466AE554D71A1EB709D418BA0

Function 00ACE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ACDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ACCF22,?), ref: 00ACDDFD

Part of subcall function 00ACDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ACCF22,?), ref: 00ACDE16

Part of subcall function 00ACE199: GetFileAttributesW.KERNEL32(?,00ACCF95), ref: 00ACE19A

lstrcmpiW.KERNEL32(?,?), ref: 00ACE473
MoveFileW.KERNEL32(?,?), ref: 00ACE4AC
_wcslen.LIBCMT ref: 00ACE5EB
_wcslen.LIBCMT ref: 00ACE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00ACE650

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f6265a76ba99c2ec06db65c2ad0d9a18aed146edc733b56ffc4d65ad2bebd195
Instruction ID: e8b1f223193cfc1eec0e012a3392a38434a222dcdcb215c813fb9ab5992048a1
Opcode Fuzzy Hash: f6265a76ba99c2ec06db65c2ad0d9a18aed146edc733b56ffc4d65ad2bebd195
Instruction Fuzzy Hash: 0E5163B24087455BC724EBA0DD81EDFB3ECAF94350F00492EF589D3191EF75A6888766

Function 00AEB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEB6AE,?,?), ref: 00AEC9B5
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AEC9F1
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA68
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AEBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AEBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00AEBB63
RegCloseKey.ADVAPI32(?,?), ref: 00AEBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00AEBBB3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: c0cbb3903a9325b6ef303c18e7ca516205d5425216da4673e6e76b503e2c4fcd
Instruction ID: 6032df854121847e889a5d6cfe9561d660a6fe594a673f5ee0006bb15b631b1c
Opcode Fuzzy Hash: c0cbb3903a9325b6ef303c18e7ca516205d5425216da4673e6e76b503e2c4fcd
Instruction Fuzzy Hash: 0A619B31218241AFD714DF55C594E2BBBE5FF84348F14856CF0998B2A2CB31ED46CBA2

Function 00AC8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AC8BCD
VariantClear.OLEAUT32 ref: 00AC8C3E
VariantClear.OLEAUT32 ref: 00AC8C9D
VariantClear.OLEAUT32(?), ref: 00AC8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AC8D3B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 0e89b09b4a226a3b4adfb1893536732a7f7fe2875f8ff06f7d276a01714a7e35
Instruction ID: 44c82514de0552edf7eeb777ce7ac6a4c6c12f91f98026b80823c3bb0b0ec4f1
Opcode Fuzzy Hash: 0e89b09b4a226a3b4adfb1893536732a7f7fe2875f8ff06f7d276a01714a7e35
Instruction Fuzzy Hash: 8A5169B5A00219EFCB10CF68D884EAAB7F8FF89310B168559E906DB350E734E911CB90

Function 00AD8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AD8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00AD8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AD8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AD8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AD8C5F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 9ea427e36e7b51aee5a8fdb2946f865cd0c95184297835c4d434f8fbc11e4b6c
Instruction ID: a43cbf3e84b8c136f92d2ab58df5587ef8537e0a04fdb01d1b5ad5b03291eafc
Opcode Fuzzy Hash: 9ea427e36e7b51aee5a8fdb2946f865cd0c95184297835c4d434f8fbc11e4b6c
Instruction Fuzzy Hash: 6F515C35A10218DFCB04DF65C980AADBBF5FF48314F088499E84AAB362DB35ED51CB90

Function 00AE8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00AE8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00AE8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00AE8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00AE9032
FreeLibrary.KERNEL32(00000000), ref: 00AE9052

Part of subcall function 00A7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00AD1043,?,75C0E610), ref: 00A7F6E6
Part of subcall function 00A7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00ABFA64,00000000,00000000,?,?,00AD1043,?,75C0E610,?,00ABFA64), ref: 00A7F70D

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f73f3ba71a8dac3d4be7bf1527f18870d9ce9a0a72edcca5e3432cb2dd04dbc2
Instruction ID: 1ad198f0fba7e568505bd748c81a02568cceb5645fc0d6f08ca1402334289f74
Opcode Fuzzy Hash: f73f3ba71a8dac3d4be7bf1527f18870d9ce9a0a72edcca5e3432cb2dd04dbc2
Instruction Fuzzy Hash: 56514C35600245DFC711DF99C5948AEBBF1FF49324B0480A9E80AAB762DB31ED86CF91

Function 00AF6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00AF6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00AF6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00AF6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00ADAB79,00000000,00000000), ref: 00AF6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00AF6CC7

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 477d800b49db71551aad999d58c8ad25ba42922ded54f3beeb144e3e44f54e12
Instruction ID: 5759e881925adf76237967f56865120bf839abcc5b1e196ca6c34c9812415131
Opcode Fuzzy Hash: 477d800b49db71551aad999d58c8ad25ba42922ded54f3beeb144e3e44f54e12
Instruction Fuzzy Hash: 0E41AF35A04108AFDB24CFA9CD58FB97BA5EB09360F150228FA95E72A1C771AD42CA40

Function 00A92051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A920C3
_free.LIBCMT ref: 00A920E3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a64a9fc4ea20f3ca1b7089498e98741da23f56c7ff08890ab567dc1a058aac4b
Instruction ID: d5c6595daba073fa3b0525ee18c38ce28336d4f2c14edb95fd51763502962950
Opcode Fuzzy Hash: a64a9fc4ea20f3ca1b7089498e98741da23f56c7ff08890ab567dc1a058aac4b
Instruction Fuzzy Hash: 5541A132B00200AFCF24DF78C981B5EB7F5EF89314B258569E515EB351DA31AD01CB81

Function 00A7912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A79141
ScreenToClient.USER32(00000000,?), ref: 00A7915E
GetAsyncKeyState.USER32(00000001), ref: 00A79183
GetAsyncKeyState.USER32(00000002), ref: 00A7919D

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 08f01cbe8e37d8fd4a71ebb497e98b06c08e2a6dfdb4c56f0efe39273b9641d1
Instruction ID: dbf7a188356b202ed04b989c671e0a5c8859dac52240fa313810b0bf8fe365d9
Opcode Fuzzy Hash: 08f01cbe8e37d8fd4a71ebb497e98b06c08e2a6dfdb4c56f0efe39273b9641d1
Instruction Fuzzy Hash: 1041707190850ABBDF05DFA8DC44BFEB774FB45320F208316E429A72A1C7745954CB61

Function 00AD3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00AD38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00AD3922
TranslateMessage.USER32(?), ref: 00AD394B
DispatchMessageW.USER32(?), ref: 00AD3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AD3966

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 86d78fd807f674d6ce3e7ffe6763caa3d39f32ab39555886157cd5de5bcbf345
Instruction ID: 765c1f2e4c1d528283ac42d1c204d305d36d39397f7d30ecf8b88a7bfcfe5202
Opcode Fuzzy Hash: 86d78fd807f674d6ce3e7ffe6763caa3d39f32ab39555886157cd5de5bcbf345
Instruction Fuzzy Hash: 5531D772504345AEEF35CB759878BBA37A8AB05300F14496BE463832A0E7F49685DB22

Function 00ADCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00ADC21E,00000000), ref: 00ADCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00ADCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00ADC21E,00000000), ref: 00ADCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00ADC21E,00000000), ref: 00ADCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00ADC21E,00000000), ref: 00ADCFF2

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 8450d692477f97138750c3ae389702cbf51767c13dcda16085e5247205a45cd1
Instruction ID: 97e07a40a61020c2e7b76455445180ac737e08148e5f2a29eafcc24f9501bd25
Opcode Fuzzy Hash: 8450d692477f97138750c3ae389702cbf51767c13dcda16085e5247205a45cd1
Instruction Fuzzy Hash: 45312C7150430AAFDB20DFE5C984AEBBBF9EB18365B50842EF517D2251DB30AE41DB60

Function 00AC1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AC1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00AC19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00AC19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00AC19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00AC19E2

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5d6f5a3b39427c66309d92b7cea8fa5cfad1bafdae00f07c877d109cb03737ce
Instruction ID: 794b1136ce46f9a609014ab42ec7b106f6896c1a1f2f5b8103bce5abfc14fbc6
Opcode Fuzzy Hash: 5d6f5a3b39427c66309d92b7cea8fa5cfad1bafdae00f07c877d109cb03737ce
Instruction Fuzzy Hash: E231AD71A00219EFCB10CFA8CD99BEE7BB5EB06325F114229F921A72D2C7709954CB90

Function 00AF5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00AF5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00AF579D
_wcslen.LIBCMT ref: 00AF57AF
_wcslen.LIBCMT ref: 00AF57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AF5816

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 671f9c20c82060c4f9b87d3c2d2ff00541a205133bd6daa411a623d402c01617
Instruction ID: 7a711314278cf3aec4b4f50bba8194bfd28cd5bd89595e5a4d04b85a8d54b04f
Opcode Fuzzy Hash: 671f9c20c82060c4f9b87d3c2d2ff00541a205133bd6daa411a623d402c01617
Instruction Fuzzy Hash: 0C214A71D0461C9ADB209FE4CC85AFEBBB8EB04725F108616FB29EA180D7748985CF50

Function 00AE0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00AE0951
GetForegroundWindow.USER32 ref: 00AE0968
GetDC.USER32(00000000), ref: 00AE09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00AE09B0
ReleaseDC.USER32(00000000,00000003), ref: 00AE09E8

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2a2062016c4f07a547ada0ce372196e8df2e263e56955a8a8890718f609efc15
Instruction ID: b830e951b4ad49ac9f2733973178f84013765732f4bbf6e7033728c64049146c
Opcode Fuzzy Hash: 2a2062016c4f07a547ada0ce372196e8df2e263e56955a8a8890718f609efc15
Instruction Fuzzy Hash: E2219335600204AFD714EFA6DA88EAEBBF5EF44710F048469F85AD7362DB70AC45CB50

Function 00A9CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A9CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A9CDE9

Part of subcall function 00A93820: RtlAllocateHeap.NTDLL(00000000,?,00B31444,?,00A7FDF5,?,?,00A6A976,00000010,00B31440,00A613FC,?,00A613C6,?,00A61129), ref: 00A93852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A9CE0F
_free.LIBCMT ref: 00A9CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A9CE31

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f813c526dcd7ea46a3f8be9af0fb3f457c344f13dcdd3bc01b0e6a7c1a32b9cb
Instruction ID: 4738e132f9fa7e10a930715e9937bca2ef12147462494657a1b061b19826d19a
Opcode Fuzzy Hash: f813c526dcd7ea46a3f8be9af0fb3f457c344f13dcdd3bc01b0e6a7c1a32b9cb
Instruction Fuzzy Hash: 1B01D472701A157FAB2157F76D88D7BB9ADDEC6BB13150229F906C7200EA608E02C2B0

Function 00A7990F Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A798CC
SetTextColor.GDI32(?,?), ref: 00A798D6
SetBkMode.GDI32(?,00000001), ref: 00A798E9
GetStockObject.GDI32(00000005), ref: 00A798F1
GetWindowLongW.USER32(?,000000EB), ref: 00A79952

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 356c6978a455e29fde6bbdd469a89ea121febc8a780bb4c6bab996e44cef6ac5
Instruction ID: f3fcf9fe985d63aa633a3f0212203a83c28e63fc687058dfb53ce18d48c66f07
Opcode Fuzzy Hash: 356c6978a455e29fde6bbdd469a89ea121febc8a780bb4c6bab996e44cef6ac5
Instruction Fuzzy Hash: A621273218A2549FC712CFA5EC59BBB7B74EF13321718859BF5468B1B2CB214852CB51

Function 00A79639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A79693
SelectObject.GDI32(?,00000000), ref: 00A796A2
BeginPath.GDI32(?), ref: 00A796B9
SelectObject.GDI32(?,00000000), ref: 00A796E2

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b52986b6744ccb58883c4cf40ee30549cc31bd8ea14946a01e4f258344222518
Instruction ID: e358767b6af95c4871a2a66631efe3e640813cb2a50ceb9432eed98b02226166
Opcode Fuzzy Hash: b52986b6744ccb58883c4cf40ee30549cc31bd8ea14946a01e4f258344222518
Instruction Fuzzy Hash: 11217F31802305EBDB11DFA9DD14BAE3BBCBB40725F208716F414A71A0DB709892CBA4

Function 00AC5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00AC5726
_memcmp.LIBVCRUNTIME ref: 00AC5744
_memcmp.LIBVCRUNTIME ref: 00AC5757
_memcmp.LIBVCRUNTIME ref: 00AC576F
_memcmp.LIBVCRUNTIME ref: 00AC5787

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b43e428634f96801d6f223d1a8687e768a38cf82bdcd379e125b0cfed08bb6d4
Instruction ID: 346963b74331e06f172c66029f6e5c28ced3ecd2079f4826582d1f4448bcc593
Opcode Fuzzy Hash: b43e428634f96801d6f223d1a8687e768a38cf82bdcd379e125b0cfed08bb6d4
Instruction Fuzzy Hash: 9201B576A41619BFD2186624DE82FBB735CEF21394F014828FE04AE241F760FDD183A4

Function 00A92DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00A8F2DE,00A93863,00B31444,?,00A7FDF5,?,?,00A6A976,00000010,00B31440,00A613FC,?,00A613C6), ref: 00A92DFD
_free.LIBCMT ref: 00A92E32
_free.LIBCMT ref: 00A92E59
SetLastError.KERNEL32(00000000,00A61129), ref: 00A92E66
SetLastError.KERNEL32(00000000,00A61129), ref: 00A92E6F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ca674f1946d5e20d9aeed551d369fe86e75330ed51df3dc98fb2ea7790ce4d69
Instruction ID: 758271cf4c4ed6003ebb867fe9af102d411f1e64728ebc6915792b0279d49e6b
Opcode Fuzzy Hash: ca674f1946d5e20d9aeed551d369fe86e75330ed51df3dc98fb2ea7790ce4d69
Instruction Fuzzy Hash: EA01F9327056007BCE22A7B56DC6F2B2DEDAFD13F5B250124F415A2192EE648C024360

Function 00AC000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?,?,00AC035E), ref: 00AC002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?), ref: 00AC0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?), ref: 00AC0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?), ref: 00AC0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?), ref: 00AC0070

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c28f6d98c56e81f4936e4bd1374ecdb8879f56878b861eda9b3b64471c48727d
Instruction ID: 5d6094e2d0768fbf6c8c4b7b2256d958f655befcf511623b3ba2772fa0207b53
Opcode Fuzzy Hash: c28f6d98c56e81f4936e4bd1374ecdb8879f56878b861eda9b3b64471c48727d
Instruction Fuzzy Hash: 09018B76600208FFDB208FAADD04FAA7AADEB447A2F164128F905D6210E771DD41CBA0

Function 00ACE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00ACE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00ACE9A5
Sleep.KERNEL32(00000000), ref: 00ACE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00ACE9B7
Sleep.KERNEL32 ref: 00ACE9F3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4d2ba03b858ce2a800b554dbd9d74ccfbd30ff906d8b40991350b0b075f16d65
Instruction ID: babf4b793118232b4663714cd276a93a5e86a9816d0af89b42e6df85ad5da541
Opcode Fuzzy Hash: 4d2ba03b858ce2a800b554dbd9d74ccfbd30ff906d8b40991350b0b075f16d65
Instruction Fuzzy Hash: B001F731C0152D9BCF00EBE6DD59AEDFB78BB09711F01465AE502B2141CB309565C765

Function 00AC10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AC1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AC114D

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 5c13e41e0a894762620d3a42e478969ad93bb2ae8b4426689030f8be3de4346b
Instruction ID: 95ed30c78368bd571b8fdbb919f0c417ed57956837e902ab0f9ac76aa5a91e89
Opcode Fuzzy Hash: 5c13e41e0a894762620d3a42e478969ad93bb2ae8b4426689030f8be3de4346b
Instruction Fuzzy Hash: B6016975200209BFDB119FE6DD49E6A3B6EEF8A3A4B250518FA41C7360DB31DC11CA60

Function 00AC0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AC0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AC0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AC0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AC0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AC1002

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d6900002f1f10aa022af8d4bfb04bf8742b190ec12c652eb4696ab4c59083336
Instruction ID: b81a5012dbb4b5450be419eda14c2a965109c3b6b6c91b5c15800cfc9a97a8bf
Opcode Fuzzy Hash: d6900002f1f10aa022af8d4bfb04bf8742b190ec12c652eb4696ab4c59083336
Instruction Fuzzy Hash: 6EF06235200315EBD7218FE5DD4DF663B6DEF8A761F114415F946C7251CA70DC51CA60

Function 00AC1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AC102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1062

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5464b50729ddf426769f4ed7eca87cf1c5e447743a57dfd293f783a389285f97
Instruction ID: eebe28ce18cde3302949dd441623d6e863700599fe516b3e6f6a07430bbbb3bf
Opcode Fuzzy Hash: 5464b50729ddf426769f4ed7eca87cf1c5e447743a57dfd293f783a389285f97
Instruction Fuzzy Hash: 4DF0C239200305EBD7219FE5ED49F663B6DEF8A761F110424FD05C7251CA30D851CA60

Function 00AD030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00AD017D,?,00AD32FC,?,00000001,00AA2592,?), ref: 00AD0324
CloseHandle.KERNEL32(?,?,?,?,00AD017D,?,00AD32FC,?,00000001,00AA2592,?), ref: 00AD0331
CloseHandle.KERNEL32(?,?,?,?,00AD017D,?,00AD32FC,?,00000001,00AA2592,?), ref: 00AD033E
CloseHandle.KERNEL32(?,?,?,?,00AD017D,?,00AD32FC,?,00000001,00AA2592,?), ref: 00AD034B
CloseHandle.KERNEL32(?,?,?,?,00AD017D,?,00AD32FC,?,00000001,00AA2592,?), ref: 00AD0358
CloseHandle.KERNEL32(?,?,?,?,00AD017D,?,00AD32FC,?,00000001,00AA2592,?), ref: 00AD0365

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9d7e2c01a67006b1155d4d5c9f7258323b5659996ee0ffbcad5087e4ca6a4911
Instruction ID: 3cd04983996f90b6eaaa93f9c535fe9bcb7c951645d8ccbc0decac42f5d7a581
Opcode Fuzzy Hash: 9d7e2c01a67006b1155d4d5c9f7258323b5659996ee0ffbcad5087e4ca6a4911
Instruction Fuzzy Hash: FE01AE72800B559FCB30AF66D880916FBF9BF603153158A3FD1A796A31C3B1A959DF80

Function 00A9D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A9D752

Part of subcall function 00A929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000), ref: 00A929DE
Part of subcall function 00A929C8: GetLastError.KERNEL32(00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000,00000000), ref: 00A929F0

_free.LIBCMT ref: 00A9D764
_free.LIBCMT ref: 00A9D776
_free.LIBCMT ref: 00A9D788
_free.LIBCMT ref: 00A9D79A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a6d2dec98e7d470506ceaea5a8bb831fdff87f0b996ff16c6378e3ccced5abc5
Instruction ID: b644c16f4068f93bc9c4349621ff047954c9cf1f0da0898ecb6505b295af8b05
Opcode Fuzzy Hash: a6d2dec98e7d470506ceaea5a8bb831fdff87f0b996ff16c6378e3ccced5abc5
Instruction Fuzzy Hash: 32F0AF72745204AB8E25EBA4FAC5D1A7BDDBB447107A54805F04DEB551CB20FCC187A5

Function 00AC5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00AC5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00AC5C6F
MessageBeep.USER32(00000000), ref: 00AC5C87
KillTimer.USER32(?,0000040A), ref: 00AC5CA3
EndDialog.USER32(?,00000001), ref: 00AC5CBD

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5fd962496dfb2ef49727fe739a3fd7864960e524a948df3815425858841644f5
Instruction ID: caa1691a572fa24f2bb056c9fc45d7f4756c67b1babe95ba0c77cf6bd271f4c1
Opcode Fuzzy Hash: 5fd962496dfb2ef49727fe739a3fd7864960e524a948df3815425858841644f5
Instruction Fuzzy Hash: F3018B305047049BEB245BA1DE4EFA577B8BF00B05F01155DB553A10E1DBF0B989CA50

Function 00A922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A922BE

Part of subcall function 00A929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000), ref: 00A929DE
Part of subcall function 00A929C8: GetLastError.KERNEL32(00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000,00000000), ref: 00A929F0

_free.LIBCMT ref: 00A922D0
_free.LIBCMT ref: 00A922E3
_free.LIBCMT ref: 00A922F4
_free.LIBCMT ref: 00A92305

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a75ab6a1223ea3725278ef40ee8e2170040a996317ca8328efafeb060d671cd
Instruction ID: 0515d4ad94971cb60b69c6940d45e67638fbd08b1b215aae8d886945df1e6fca
Opcode Fuzzy Hash: 1a75ab6a1223ea3725278ef40ee8e2170040a996317ca8328efafeb060d671cd
Instruction Fuzzy Hash: 9EF03AB1910520AB8A22FF5CBD01A5D3FE8BB687607200A4AF418D72B1CF300912EBE4

Function 00A795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A795D4
StrokeAndFillPath.GDI32(?,?,00AB71F7,00000000,?,?,?), ref: 00A795F0
SelectObject.GDI32(?,00000000), ref: 00A79603
DeleteObject.GDI32 ref: 00A79616
StrokePath.GDI32(?), ref: 00A79631

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 49f4688881cf8bdce3ea075cec425ac35356f379bde3e921a9856fc2fac67e6f
Instruction ID: 07c97207bdb47641f036f4f9e1b9061d0adfa98d38164b08bbc91fdeb8316621
Opcode Fuzzy Hash: 49f4688881cf8bdce3ea075cec425ac35356f379bde3e921a9856fc2fac67e6f
Instruction Fuzzy Hash: D9F0CD35005608EBD7169F99ED187693B69A701332F14C715F459560F0CF308557DF24

Function 00A90F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00A910F9
__freea.LIBCMT ref: 00A91117

Part of subcall function 00A91537: _free.LIBCMT ref: 00A9154F

Strings

a/p, xrefs: 00A911DE
am/pm, xrefs: 00A9117A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: b9b0c02c30df5f08b9b42c70c0aaf21e5538672db50db4cbb5f0e1b29da13130
Instruction ID: 4c6946969ffbf5b4d98fa8dca5b93fe87f6ed10c1e601c911777590031521011
Opcode Fuzzy Hash: b9b0c02c30df5f08b9b42c70c0aaf21e5538672db50db4cbb5f0e1b29da13130
Instruction Fuzzy Hash: 80D1CC35B00207DADF699F68C985AFBB7F0EF06300F284269E915AFA50D7759D80CB91

Function 00AE7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00A80242: EnterCriticalSection.KERNEL32(00B3070C,00B31884,?,?,00A7198B,00B32518,?,?,?,00A612F9,00000000), ref: 00A8024D
Part of subcall function 00A80242: LeaveCriticalSection.KERNEL32(00B3070C,?,00A7198B,00B32518,?,?,?,00A612F9,00000000), ref: 00A8028A

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00A800A3: __onexit.LIBCMT ref: 00A800A9

__Init_thread_footer.LIBCMT ref: 00AE7BFB

Part of subcall function 00A801F8: EnterCriticalSection.KERNEL32(00B3070C,?,?,00A78747,00B32514), ref: 00A80202
Part of subcall function 00A801F8: LeaveCriticalSection.KERNEL32(00B3070C,?,00A78747,00B32514), ref: 00A80235

Strings

Variable must be of type 'Object'., xrefs: 00AE7C3A
5, xrefs: 00AE7C78
G, xrefs: 00AE7C7F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: d11eedb2dc40da72a276a66531e89229981362e722e92b84dec8d79ea533c380
Instruction ID: a2ed1113ae2b00afe2b40f50213038b3c4b7df31871be3e11004f726e4efebc7
Opcode Fuzzy Hash: d11eedb2dc40da72a276a66531e89229981362e722e92b84dec8d79ea533c380
Instruction Fuzzy Hash: 9891BD75A04249EFCB04EF96DA91DBDB7B5FF48300F248049F806AB292DB71AE45CB51

Function 00AC2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ACB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AC21D0,?,?,00000034,00000800,?,00000034), ref: 00ACB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00AC2760

Part of subcall function 00ACB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AC21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00ACB3F8

Part of subcall function 00ACB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00ACB355
Part of subcall function 00ACB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AC2194,00000034,?,?,00001004,00000000,00000000), ref: 00ACB365
Part of subcall function 00ACB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AC2194,00000034,?,?,00001004,00000000,00000000), ref: 00ACB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AC27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AC281A

Strings

@, xrefs: 00AC2832

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 3f0dd0f6b8013d38df5809475d70fbd90f5c1fadd4775900628280920410903e
Instruction ID: 65004f8c656f1e094bad08a9cc53a92d95d3a05eaca0d6c38ec3ac2cf8136655
Opcode Fuzzy Hash: 3f0dd0f6b8013d38df5809475d70fbd90f5c1fadd4775900628280920410903e
Instruction Fuzzy Hash: 78410972900218AEDB10DFA4C986FEEBBB8AB09700F114099EA55B7181DA716E45CBA1

Function 00A9172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00A91769
_free.LIBCMT ref: 00A91834
_free.LIBCMT ref: 00A9183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00A91760, 00A91767, 00A91796, 00A917CE

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: 7ff7d7487a8275591a16054fdea08c6fb6772cbd156d4c8664231db507693ad8
Instruction ID: 6717a27a11265b17f1e8551b1bca8b2a7369c20dd6ac3db870ba532ea91523f7
Opcode Fuzzy Hash: 7ff7d7487a8275591a16054fdea08c6fb6772cbd156d4c8664231db507693ad8
Instruction Fuzzy Hash: 4A316D75B0021AAFDF21DB999D85D9EBBFCEB85310B2441A6F80497211DA708E40DBA0

Function 00ACC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00ACC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00ACC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B31990,00BA5260), ref: 00ACC395

Strings

0, xrefs: 00ACC2DF

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1887b264e53f73bef0d7f75091731b28684bda9aaf73f40051a1431b480d775b
Instruction ID: eb2cb3c9cfa7ddc08cbadc1ca824fdf53929b1f321a349862f8cd3d3992d083c
Opcode Fuzzy Hash: 1887b264e53f73bef0d7f75091731b28684bda9aaf73f40051a1431b480d775b
Instruction Fuzzy Hash: E041A0712043419FD720DF25E945F6ABBE8AF85320F11861DF8A99B3D1D730A905CB62

Function 00AF4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00AFCC08,00000000,?,?,?,?), ref: 00AF44AA
GetWindowLongW.USER32 ref: 00AF44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AF44D7

Strings

SysTreeView32, xrefs: 00AF447C

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 96d1780c82947dced16d1a322f68a83f88259d2ce66ba95f5485b8fb95ac01c8
Instruction ID: 0096764b15cb1cf440460d463e3f151c0368c6e3e375d523189dd741b4c2d449
Opcode Fuzzy Hash: 96d1780c82947dced16d1a322f68a83f88259d2ce66ba95f5485b8fb95ac01c8
Instruction Fuzzy Hash: E1318F31214609AFDB209FB8DC45BEB7BA9EB08334F208715FA79A21E0D770EC519B50

Function 00AE304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00AE3077,?,?), ref: 00AE3378

inet_addr.WSOCK32(?), ref: 00AE307A
_wcslen.LIBCMT ref: 00AE309B
htons.WSOCK32(00000000), ref: 00AE3106

Strings

255.255.255.255, xrefs: 00AE3095, 00AE309A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 1b02cc915d1874cd0ffcab546d7e642c662557b8d494f49f2441ecc02f6bc7fc
Instruction ID: b2db74ea22671b699661061f7dd33375516c13fa786bd8308463a65931eef237
Opcode Fuzzy Hash: 1b02cc915d1874cd0ffcab546d7e642c662557b8d494f49f2441ecc02f6bc7fc
Instruction Fuzzy Hash: 4031E4362042859FCF20CF6AC589EAA77F0EF54318F258199E9158B392DB32EF45C761

Function 00AF3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00AF3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00AF3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AF3F78

Strings

SysMonthCal32, xrefs: 00AF3F0B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ba7fc325cfb85163c7be880a238e900ef0b2119f8aa88e79709d7ec3d1d049b6
Instruction ID: c65a5ddbba2fa8401d94283e5454521c77732ad6ef2f252a86e7304e978fdc0a
Opcode Fuzzy Hash: ba7fc325cfb85163c7be880a238e900ef0b2119f8aa88e79709d7ec3d1d049b6
Instruction Fuzzy Hash: 41218B33600219BBDF25DF94DC46FEA3BB9EF48724F110214FA15AB190DAB5A951CBA0

Function 00AF4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00AF4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00AF4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00AF471A

Strings

msctls_updown32, xrefs: 00AF4684

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 67236fa9c433800e6e467969b80b4501ad8b3633a9a68e66ae89e0ab86e8d141
Instruction ID: 08efbd3bd61978c731461bef0bc8d48640a8de577049399a4ee7a722f9e9a36c
Opcode Fuzzy Hash: 67236fa9c433800e6e467969b80b4501ad8b3633a9a68e66ae89e0ab86e8d141
Instruction Fuzzy Hash: A22131B5604209AFEB10DFA8DC81DBB37ADEB5A364B140559F6009B251DB71EC12CA60

Function 00AC95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AC961D

Strings

#requireadmin, xrefs: 00AC95D9
#OnAutoItStartRegister, xrefs: 00AC95F3
#notrayicon, xrefs: 00AC95B7

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f97b9930b2bb97490cf859ea5745f8963babcaa8ea5e9587aa2d645f5ca31d8e
Instruction ID: 358ae79a0b2029d225d4eb055ab630020856b3a2d3ec20168c0f0c6beb07ddc1
Opcode Fuzzy Hash: f97b9930b2bb97490cf859ea5745f8963babcaa8ea5e9587aa2d645f5ca31d8e
Instruction Fuzzy Hash: AA21AA322042146AE731BB24DD0AFBB73E8AF94300F51442EFA4A9B081EF64EE45C3D5

Function 00AF37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00AF3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00AF3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00AF3876

Strings

Listbox, xrefs: 00AF380F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 635da30580dd69b13c2cd2829fb7db6b83b651d3c2eca5f8340a646ed10c2479
Instruction ID: a37f5e3a18d661c775dd66ed5fa45ec2f90eb3fb7de42eeefc48153b3aeb7336
Opcode Fuzzy Hash: 635da30580dd69b13c2cd2829fb7db6b83b651d3c2eca5f8340a646ed10c2479
Instruction Fuzzy Hash: EE217F72610118BBEF11DF95DC45EBB376EEF897A0F118124FA059B190CA75DC5287A0

Function 00AD49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AD4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AD4A5C
SetErrorMode.KERNEL32(00000000,?,?,00AFCC08), ref: 00AD4AD0

Strings

%lu, xrefs: 00AD4A6F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 1b1562b0a25916f4445c971ca27144288846ab641b1f8a8cc2980ef8e0bb1c88
Instruction ID: 79a0570dbd929d65f5bee7df46322fa5cf717b54610566775baf3312828b17ec
Opcode Fuzzy Hash: 1b1562b0a25916f4445c971ca27144288846ab641b1f8a8cc2980ef8e0bb1c88
Instruction Fuzzy Hash: 4F314175A00109AFDB10DF94C985EAA77F8EF48318F1480A9F509DB362D771EE46CB61

Function 00AF41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00AF424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00AF4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00AF4271

Strings

msctls_trackbar32, xrefs: 00AF4226

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ff71ebbc7cc326e7c174e7b9568848e57a29c0fe9a99eee5a84438df1edd67b6
Instruction ID: f84eacf8ba0cb6620c360b22775b359217bca80ae3374b205c01cd8014b1bdc1
Opcode Fuzzy Hash: ff71ebbc7cc326e7c174e7b9568848e57a29c0fe9a99eee5a84438df1edd67b6
Instruction Fuzzy Hash: 4511E331240248BEEF205FA9CC06FFB3BACEF89B64F114624FA55E20A0D671D811DB24

Function 00AC2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

Part of subcall function 00AC2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00AC2DC5
Part of subcall function 00AC2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC2DD6
Part of subcall function 00AC2DA7: GetCurrentThreadId.KERNEL32 ref: 00AC2DDD
Part of subcall function 00AC2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00AC2DE4

GetFocus.USER32 ref: 00AC2F78

Part of subcall function 00AC2DEE: GetParent.USER32(00000000), ref: 00AC2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00AC2FC3
EnumChildWindows.USER32(?,00AC303B), ref: 00AC2FEB

Strings

%s%d, xrefs: 00AC2FFF

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 52022d02fddca90e734acd5f82f3b93d96bb604819db4013a070dbcab0a373fc
Instruction ID: f2b0992d61b90a5805f672d692f627fd4302a12342c141bbbce97e607533e5c4
Opcode Fuzzy Hash: 52022d02fddca90e734acd5f82f3b93d96bb604819db4013a070dbcab0a373fc
Instruction Fuzzy Hash: 9011D572200209ABCF51BFA48D85FFD376AAF94314F048079F909DB192DE705A09CB60

Function 00AF5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00AF58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00AF58EE
DrawMenuBar.USER32(?), ref: 00AF58FD

Strings

0, xrefs: 00AF588F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 0be35a59d560772f5208b5ea23de8348d261bd276564c3ad0791c915a0251621
Instruction ID: d309b67f87488e3a5a6a6c23838d9dcfdda444d0a391b22f26d5ebc0ab224fa9
Opcode Fuzzy Hash: 0be35a59d560772f5208b5ea23de8348d261bd276564c3ad0791c915a0251621
Instruction Fuzzy Hash: 7201393190021CEEDB219FA1DC44BAABBB5BF45361F10C099FA49D6151DB708A85EF21

Function 00ABD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00ABD3BF
FreeLibrary.KERNEL32 ref: 00ABD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00ABD3B9
X64, xrefs: 00ABD2A8

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 20db8fedbb15533f23ce5ea60c0aceec820662d5c6e8f331dfd6a44e5464d4dd
Instruction ID: 720004e7628c465cbdad3f18a79614cb2d3523c08a8eef80fc08a22837a67486
Opcode Fuzzy Hash: 20db8fedbb15533f23ce5ea60c0aceec820662d5c6e8f331dfd6a44e5464d4dd
Instruction Fuzzy Hash: E3F0AB31802A659BC33143518C289FD737CAF00B01F68C269F806E9007FB24CD4486CA

Function 00AC007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146ed5a5111f230dbb43352b840652cfd8acf042af9c92ec98096f2780d09bc8
Instruction ID: 40f7d9d070f2a55e8bec1bdc25a71e981f549aafdd35c47b5e144092c9e8ce67
Opcode Fuzzy Hash: 146ed5a5111f230dbb43352b840652cfd8acf042af9c92ec98096f2780d09bc8
Instruction Fuzzy Hash: 6EC13875A0021AEFDB14CFA8C894FAAB7B5FF48304F168598E505EB251D731ED41DB90

Function 00A93E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A93F0B
__alldvrm.LIBCMT ref: 00A9410C
__alldvrm.LIBCMT ref: 00A9412E

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 02ba19d62824828f1ed74ff49e5f7267bd3b9061efdb05122d9cf24b8f17dc50
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 07A12876F003869FEF25CF18C891BAEBBF5EF69350F24426DE5559B281C6388982C750

Function 00AE342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AE3459
CoUninitialize.OLE32 ref: 00AE3463
VariantInit.OLEAUT32(?), ref: 00AE346E
VariantClear.OLEAUT32(?), ref: 00AE371B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: eb9ebaee30dae777659270f4b27d392074caa0edebe07a8d5eeaadf1b8c67544
Instruction ID: 763a26d55581e0b1d52a87e6d43143badd60aadcc4ca648eb84280034f17eee8
Opcode Fuzzy Hash: eb9ebaee30dae777659270f4b27d392074caa0edebe07a8d5eeaadf1b8c67544
Instruction Fuzzy Hash: 6FA119766143409FCB10DF69C585A2AB7F5FF88724F048859F98A9B362DB30EE01CB91

Function 00AC0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00AFFC08,?), ref: 00AC05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00AFFC08,?), ref: 00AC0608
CLSIDFromProgID.OLE32(?,?,00000000,00AFCC40,000000FF,?,00000000,00000800,00000000,?,00AFFC08,?), ref: 00AC062D
_memcmp.LIBVCRUNTIME ref: 00AC064E

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 1fa9f4a648a78d03d6eee32006dab70ffc0f110d5824c31108ef46ecba3b3d4e
Instruction ID: b5141214e2462bb5e3d900dfa1e0e5d5f2d03782ed8a8f3b31821d18e94a3e46
Opcode Fuzzy Hash: 1fa9f4a648a78d03d6eee32006dab70ffc0f110d5824c31108ef46ecba3b3d4e
Instruction Fuzzy Hash: 7A81E975A00109EFCB04DFE8C984EEEB7B9FF89315F214558E516AB250DB71AE06CB60

Function 00AEA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00AEA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00AEA6BA

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Process32NextW.KERNEL32(00000000,?), ref: 00AEA79C
CloseHandle.KERNEL32(00000000), ref: 00AEA7AB

Part of subcall function 00A7CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00AA3303,?), ref: 00A7CE8A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: ba19f4b1b839f57f8519d343d53cef3e5417e4488515b8e4c800f30c7b4dccc5
Instruction ID: 5919d9af691aad5a996359ddf8e575bb1c100059b492f47cd5c68c80897ae8f9
Opcode Fuzzy Hash: ba19f4b1b839f57f8519d343d53cef3e5417e4488515b8e4c800f30c7b4dccc5
Instruction Fuzzy Hash: 6F513B71508340AFD710EF65C986A6BBBF8FF99754F00891DF58997291EB30E904CB92

Function 00AA1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AA14C0

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 48b3b853e178c5c722c085614af667c064abcb9438fcc9bb54bee2f4ecb23bf6
Instruction ID: 0df82848c7c1c73d7a8d895477b36f00bd3b55cd8d278d40636c8c06c83cf887
Opcode Fuzzy Hash: 48b3b853e178c5c722c085614af667c064abcb9438fcc9bb54bee2f4ecb23bf6
Instruction Fuzzy Hash: D1410675A00615BBDF21BBBD8D46ABE3AE4EF4B370F144225F419D71D2E734884153A1

Function 00AF6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AF62E2
ScreenToClient.USER32(?,?), ref: 00AF6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00AF6382

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 20bce5fb1908001496069a600c668ee004d2c6edfb822b0cfd1ed1aca21e1b92
Instruction ID: 07dc7f5f0f5f4911b33aa281501e5d88c8a91fbc5063c3e3ab63908400ada8b7
Opcode Fuzzy Hash: 20bce5fb1908001496069a600c668ee004d2c6edfb822b0cfd1ed1aca21e1b92
Instruction Fuzzy Hash: 89512A74A00209EFCB14DFA8D980ABE7BB5EF55360F208669F9159B291D730ED41CB50

Function 00AE1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00AE1AFD
WSAGetLastError.WSOCK32 ref: 00AE1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00AE1B8A
WSAGetLastError.WSOCK32 ref: 00AE1B94

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: f09ff3eb5dd179e4797ca947619dbc358d6a968b4ed015878581f680fef48866
Instruction ID: eadc3f68808e7ff55bde3f8212b1a1063d5ca1d93157a72426cfe0488a6e5493
Opcode Fuzzy Hash: f09ff3eb5dd179e4797ca947619dbc358d6a968b4ed015878581f680fef48866
Instruction Fuzzy Hash: E541DF74600210AFE720AF25C986F2A77E5EB44718F54C488F91A9F3D2D772ED42CB90

Function 00A9B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25670c5feb22d490ea19ad7a38e5f1e4e6a137a090916baa36ff72264e2437f5
Instruction ID: ee5a1ab604eb3da181512f854fdbc08d1b26e072cbf8ae29873a95d795a44554
Opcode Fuzzy Hash: 25670c5feb22d490ea19ad7a38e5f1e4e6a137a090916baa36ff72264e2437f5
Instruction Fuzzy Hash: 50411975B10304BFDB24AF78DE41BAABBE9EBC4710F10852AF152DB2D1D771990187A0

Function 00AD56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00AD5783
GetLastError.KERNEL32(?,00000000), ref: 00AD57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00AD57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00AD57FA

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: da0ec6cec4abd5f74d9f38d2eb0f3b97c5e9606d3a620864f2facee6f2e22efb
Instruction ID: 95d0c7fba1dde2e6d1368b1d4eac4a822123279f43d57f825d310280ca043c88
Opcode Fuzzy Hash: da0ec6cec4abd5f74d9f38d2eb0f3b97c5e9606d3a620864f2facee6f2e22efb
Instruction Fuzzy Hash: DA414E35610610DFCB11EF55C644A5EBBF2EF89724B198889E84BAB362CB30FD41DB91

Function 00A9D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00A86D71,00000000,00000000,00A882D9,?,00A882D9,?,00000001,00A86D71,8BE85006,00000001,00A882D9,00A882D9), ref: 00A9D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A9D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A9D9AB
__freea.LIBCMT ref: 00A9D9B4

Part of subcall function 00A93820: RtlAllocateHeap.NTDLL(00000000,?,00B31444,?,00A7FDF5,?,?,00A6A976,00000010,00B31440,00A613FC,?,00A613C6,?,00A61129), ref: 00A93852

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 51627846c8dfcaadb66eaa8aeb8e3b91b75932b1b28ac84bb0baea0fed90d2c6
Instruction ID: 7f169aa9d19cdafe827bd1d5bc5a0f0e5d5feb86f1cd72775d9f1823fd599128
Opcode Fuzzy Hash: 51627846c8dfcaadb66eaa8aeb8e3b91b75932b1b28ac84bb0baea0fed90d2c6
Instruction Fuzzy Hash: 0431BE72A0020AABDF24EFA5DD41EAE7BE5EB40310B054269FC04D7291EB35CDA5CB90

Function 00AF52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00AF5352
GetWindowLongW.USER32(?,000000F0), ref: 00AF5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AF5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AF53A8

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 6b1d9ee7119e96cfa776e7d7a05562eca6bb037123b3922cf5ff93bdd18ed0cf
Instruction ID: 3e5b44d92dcaa7203870cc5cdf9c337a5ebb979af655559080fd8548890e03b3
Opcode Fuzzy Hash: 6b1d9ee7119e96cfa776e7d7a05562eca6bb037123b3922cf5ff93bdd18ed0cf
Instruction Fuzzy Hash: 39319034E55A0CAFEB249BACCC25BF87765AB05390F584201BB509A1E1C7B49941EB42

Function 00ACAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00ACABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00ACAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00ACAC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00ACACC6

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1a097f044c373c365c86c2791e08cf240189cd466f3e274e2402bd38426637e2
Instruction ID: 8c7fc52b81beaadcfdffa8df82ec9d3f5efd60bfc55a0176ac9df3a46f2f8303
Opcode Fuzzy Hash: 1a097f044c373c365c86c2791e08cf240189cd466f3e274e2402bd38426637e2
Instruction Fuzzy Hash: 13312830A4831CAFEF34CBE98C08FFA7BB5AB65328F05421EE485921D1C37589858752

Function 00AF7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00AF769A
GetWindowRect.USER32(?,?), ref: 00AF7710
PtInRect.USER32(?,?,00AF8B89), ref: 00AF7720
MessageBeep.USER32(00000000), ref: 00AF778C

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9e29727d6d8217f94e5ab3655cad880b5d2b2d1f125baaedb54064a2426c3a11
Instruction ID: e049042a2dbb45fc5999d5c033b9d4860e68f65804ff260961c6c5c807114ac9
Opcode Fuzzy Hash: 9e29727d6d8217f94e5ab3655cad880b5d2b2d1f125baaedb54064a2426c3a11
Instruction Fuzzy Hash: A4417834A19218DFCB01EFD9C994EBDB7F5BB49314F2941A8FA149B261C730E942CB90

Function 00AF16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00AF16EB

Part of subcall function 00AC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC3A57
Part of subcall function 00AC3A3D: GetCurrentThreadId.KERNEL32 ref: 00AC3A5E
Part of subcall function 00AC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AC25B3), ref: 00AC3A65

GetCaretPos.USER32(?), ref: 00AF16FF
ClientToScreen.USER32(00000000,?), ref: 00AF174C
GetForegroundWindow.USER32 ref: 00AF1752

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: da5c2184aad78602163c4f4a7a64aa683300d2fe8d1d3642db5cb787deb0b75d
Instruction ID: 6157f98726384b64727b97da262610744e3d666bc790c6867b67ab585cabb3a7
Opcode Fuzzy Hash: da5c2184aad78602163c4f4a7a64aa683300d2fe8d1d3642db5cb787deb0b75d
Instruction Fuzzy Hash: CE313E75D00249AFCB04EFAAC981DBEBBF9EF48314B5080AAE555E7211D6319E45CFA0

Function 00ACDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00A67620: _wcslen.LIBCMT ref: 00A67625

_wcslen.LIBCMT ref: 00ACDFCB
_wcslen.LIBCMT ref: 00ACDFE2
_wcslen.LIBCMT ref: 00ACE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00ACE018

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: cdc92c59a861ea4983ca8ea378a2e4f2e5340913c8caf2909202130a10fea33b
Instruction ID: c314ddf2e40224984918953ab790264aa31048fae2d6b9a9bedfb9105e4f9b2d
Opcode Fuzzy Hash: cdc92c59a861ea4983ca8ea378a2e4f2e5340913c8caf2909202130a10fea33b
Instruction Fuzzy Hash: 1821B575940215AFCB20EFA8DA81F6EB7F8EF45760F154069E805BB281D6709E41CBE1

Function 00AF8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

GetCursorPos.USER32(?), ref: 00AF9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00AB7711,?,?,?,?,?), ref: 00AF9016
GetCursorPos.USER32(?), ref: 00AF905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00AB7711,?,?,?), ref: 00AF9094

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 773ba6623bdc748be4bd173f908cec7643f54275a2d127bb328d7ffe4f2743bb
Instruction ID: 11fb2b10b2ac911b33028854f44f527b622393b61d5feafd758c9c7c402ed478
Opcode Fuzzy Hash: 773ba6623bdc748be4bd173f908cec7643f54275a2d127bb328d7ffe4f2743bb
Instruction Fuzzy Hash: E921483560001CAFDB258FE9C858FFB7BB9EB89360F144165FA058B2A1CB319991DB61

Function 00ACD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00AFCB68), ref: 00ACD2FB
GetLastError.KERNEL32 ref: 00ACD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00ACD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00AFCB68), ref: 00ACD376

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2c62dce2ff47fe73f6b9dcacb8464f35b443b33274df68d0b98236edbfc5c6f1
Instruction ID: 1656cf0b29d3402f550d4029169ebe3c5483300d112c921a7997aee9f3a5c2f0
Opcode Fuzzy Hash: 2c62dce2ff47fe73f6b9dcacb8464f35b443b33274df68d0b98236edbfc5c6f1
Instruction Fuzzy Hash: 0921A3745042059FC700EF64CA819ABB7E8EE55364F114A2EF499DB3A1E730D946CB93

Function 00AC1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AC102A
Part of subcall function 00AC1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1036
Part of subcall function 00AC1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1045
Part of subcall function 00AC1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC104C
Part of subcall function 00AC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AC15BE
_memcmp.LIBVCRUNTIME ref: 00AC15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC1617
HeapFree.KERNEL32(00000000), ref: 00AC161E

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2e81c98dae03bc3c930d138f342473e7812e1777877add05df58eaba4ea55a26
Instruction ID: a5157841060f2adf615e929d44e2f6caeec91ce02d37e232b7b6290b8483ef7f
Opcode Fuzzy Hash: 2e81c98dae03bc3c930d138f342473e7812e1777877add05df58eaba4ea55a26
Instruction Fuzzy Hash: CD219A71E00108EFDF00DFA5CA45FEEB7B8EF46354F1A4459E441AB242E730AA05DBA0

Function 00AF2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00AF280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AF2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AF2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00AF2840

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: fe48bbf359f0bdfc6fecc7393d4f7a32acacb0734df8ca853d64fbf870e9444f
Instruction ID: 7d17ade289fe99185dfda28be14f448fe628f528b49a9aafad85f6a2596372b4
Opcode Fuzzy Hash: fe48bbf359f0bdfc6fecc7393d4f7a32acacb0734df8ca853d64fbf870e9444f
Instruction Fuzzy Hash: 1321B031205519AFD714EBA4C944FBA7BA5AF45324F148158F5268B6E2C771EC82C7D0

Function 00AC78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00AC790A,?,000000FF,?,00AC8754,00000000,?,0000001C,?,?), ref: 00AC8D8C
Part of subcall function 00AC8D7D: lstrcpyW.KERNEL32(00000000,?,?,00AC790A,?,000000FF,?,00AC8754,00000000,?,0000001C,?,?,00000000), ref: 00AC8DB2
Part of subcall function 00AC8D7D: lstrcmpiW.KERNEL32(00000000,?,00AC790A,?,000000FF,?,00AC8754,00000000,?,0000001C,?,?), ref: 00AC8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00AC8754,00000000,?,0000001C,?,?,00000000), ref: 00AC7923
lstrcpyW.KERNEL32(00000000,?,?,00AC8754,00000000,?,0000001C,?,?,00000000), ref: 00AC7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00AC8754,00000000,?,0000001C,?,?,00000000), ref: 00AC7984

Strings

cdecl, xrefs: 00AC797B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 2e4ac7b9e1315e4ec0adc88484426fbb8551b16cb23f0ec3e488b8c0b044dcff
Instruction ID: 4ad58bc4047e9365235e3c157e7ecbc0a25ec2c236eecfe90a5702c013011d08
Opcode Fuzzy Hash: 2e4ac7b9e1315e4ec0adc88484426fbb8551b16cb23f0ec3e488b8c0b044dcff
Instruction Fuzzy Hash: 4B11D63A200205AFCB159F75DC45E7A77E5FF45360B51802EF946C7264EB319911CB61

Function 00AF7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00AF7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00AF7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00AF7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00ADB7AD,00000000), ref: 00AF7D6B

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 34d4921a7fe04fec5dd90c8c4903ecc6502eebabb458ce252c5e5d59f5823d4d
Instruction ID: d1d3d76d7de9c3962fb1d6092ed643e8cfeb20dc64cede4afba7d812ef8ef53a
Opcode Fuzzy Hash: 34d4921a7fe04fec5dd90c8c4903ecc6502eebabb458ce252c5e5d59f5823d4d
Instruction Fuzzy Hash: 0F11A231504619AFCB109FA9CC04ABA3BA9AF453B0B658724F939C72F0D7309952CB50

Function 00AF5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00AF56BB
_wcslen.LIBCMT ref: 00AF56CD
_wcslen.LIBCMT ref: 00AF56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AF5816

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: f682680dbecd84db433f2a4d9b3358a13ffd7651d0465edf20b24221a1715e5b
Instruction ID: 8b9ee99cfa0c1ba4792be8f14c116dbc29e44694a615016fca65e942380f0d5d
Opcode Fuzzy Hash: f682680dbecd84db433f2a4d9b3358a13ffd7651d0465edf20b24221a1715e5b
Instruction Fuzzy Hash: DF11B171E0060C96DB20DFF58C85AFE77BCEF11761B10842AFB15D6081EBB48A80CBA0

Function 00A91D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0785dc1ba7d4275026e318c8acdca4928732f47e109105ef4fc63d78757fb87
Instruction ID: 70fa7bb8f8847a27343328c9b18b1f7d020cd666bd4d433ea343bd2aae2bac76
Opcode Fuzzy Hash: b0785dc1ba7d4275026e318c8acdca4928732f47e109105ef4fc63d78757fb87
Instruction Fuzzy Hash: 0E014BB230961B7EFE2166B86CC1F6766EDDF817B8B340325F521A11D2DB609C419160

Function 00AC1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00AC1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AC1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AC1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AC1A8A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 757906eea828f1f69f9cfc41e3a6fc399f3c688c6f2288316d63836caf8a9696
Instruction ID: 13dd92b6f3eb4b479fbf7090c9556c884da8fb0e66840736960433f0f10c1fd5
Opcode Fuzzy Hash: 757906eea828f1f69f9cfc41e3a6fc399f3c688c6f2288316d63836caf8a9696
Instruction Fuzzy Hash: D811393AE01219FFEB10DBA5CD85FADBB78EB08750F210095EA00B7290D6716E50DB94

Function 00ACE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00ACE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00ACE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00ACE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00ACE24D

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b926de8db134c21fec1e25cc731bed11f1620b94bf7984f0d2676faed3b4e7cb
Instruction ID: 929432cb1f5c9e719011b269d47843b52c6a4f0fdd86d12467481ae8d1c042ff
Opcode Fuzzy Hash: b926de8db134c21fec1e25cc731bed11f1620b94bf7984f0d2676faed3b4e7cb
Instruction Fuzzy Hash: A511C476904258BBCB01DFED9D09FEE7FACEB45320F154659F924E3291D7B0890487A4

Function 00A8D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00A8CFF9,00000000,00000004,00000000), ref: 00A8D218
GetLastError.KERNEL32 ref: 00A8D224
__dosmaperr.LIBCMT ref: 00A8D22B
ResumeThread.KERNEL32(00000000), ref: 00A8D249

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: bb5914b5917268d0ccc9b8b7b1d8e17a6d7c9152d228d9a13801c888cb6c52e9
Instruction ID: 43ad4789b936f56d6469897e2ff3a2e89365e69e686c06c8e3dbbce0e874d51e
Opcode Fuzzy Hash: bb5914b5917268d0ccc9b8b7b1d8e17a6d7c9152d228d9a13801c888cb6c52e9
Instruction Fuzzy Hash: C1019236805209BBDB11BBE6DC09BEE7B69EF81771F104319F925961E0EB718911C7A0

Function 00AF9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

GetClientRect.USER32(?,?), ref: 00AF9F31
GetCursorPos.USER32(?), ref: 00AF9F3B
ScreenToClient.USER32(?,?), ref: 00AF9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00AF9F7A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 679d55a30ddf5694e9814d41f83b7e62e4f4b273408fa62e5f3da2e214da39b0
Instruction ID: 9dba88bb4dc5f68fbf5fd2f62668990fab109057220c2b572a3b2f3db92a9917
Opcode Fuzzy Hash: 679d55a30ddf5694e9814d41f83b7e62e4f4b273408fa62e5f3da2e214da39b0
Instruction Fuzzy Hash: D511033290011EABDB10EFE9D989AFF77B9EB45311F104455FA12E7150D730BA86CBA1

Function 00A6600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A6604C
GetStockObject.GDI32(00000011), ref: 00A66060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A6606A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: c6623ad6f6e2e665947897ea629fe198f30384e0a22a655ac91047f3865f4c36
Instruction ID: 46595f1bfc2ce75213eed0504e0c9c38d888a3542363f7e9c56eedc787d8d64b
Opcode Fuzzy Hash: c6623ad6f6e2e665947897ea629fe198f30384e0a22a655ac91047f3865f4c36
Instruction Fuzzy Hash: 9011AD72101508BFEF129FE48C44EEABF7DEF083A5F054225FA0452010D7329C60DBA0

Function 00A83B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00A83B56

Part of subcall function 00A83AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00A83AD2
Part of subcall function 00A83AA3: ___AdjustPointer.LIBCMT ref: 00A83AED

_UnwindNestedFrames.LIBCMT ref: 00A83B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00A83B7C
CallCatchBlock.LIBVCRUNTIME ref: 00A83BA4

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 488055da5aded65928cba4c99591588721a73ec2a2fd290d181228f43f1dd3af
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 5701D772100149BBDF126F95CD46EEB7B69EF58B54F044014FE4856121D632E9619BA0

Function 00A93073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00A613C6,00000000,00000000,?,00A9301A,00A613C6,00000000,00000000,00000000,?,00A9328B,00000006,FlsSetValue), ref: 00A930A5
GetLastError.KERNEL32(?,00A9301A,00A613C6,00000000,00000000,00000000,?,00A9328B,00000006,FlsSetValue,00B02290,FlsSetValue,00000000,00000364,?,00A92E46), ref: 00A930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A9301A,00A613C6,00000000,00000000,00000000,?,00A9328B,00000006,FlsSetValue,00B02290,FlsSetValue,00000000), ref: 00A930BF

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d321ade3f62bcea196587b72cdde19adfd548cde17399ee399273b5464ffe319
Instruction ID: c077b41b3c10c5d9e8cee0937a5c5143dc9cd8078bfc2a1c15b3fc68e7267be8
Opcode Fuzzy Hash: d321ade3f62bcea196587b72cdde19adfd548cde17399ee399273b5464ffe319
Instruction Fuzzy Hash: 13018433711226ABDF318BB9AC4496B7BF8AF45BB1B214624F916E7140DB21DD06C6E0

Function 00AC7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00AC747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00AC7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00AC74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00AC74CA

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 42900c3d4c8032483b85ca53b6c1b9293b87da9f42ed83ae94714585e040dcdf
Instruction ID: fb4d596bfcfc5b9d4eb5f09a38b64966d40a72a6a3cb2558a663bdeb9a628165
Opcode Fuzzy Hash: 42900c3d4c8032483b85ca53b6c1b9293b87da9f42ed83ae94714585e040dcdf
Instruction Fuzzy Hash: 9711ADB5205314ABE720CF98DE09FAABFFCEB00B10F11856DA626D6191D7B0E904DF60

Function 00ACB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00ACACD3,?,00008000), ref: 00ACB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00ACACD3,?,00008000), ref: 00ACB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00ACACD3,?,00008000), ref: 00ACB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00ACACD3,?,00008000), ref: 00ACB126

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a651003e8ebc171eb632addc95ea9937ca963a2a2458d74a4d48d0c6bb110ddf
Instruction ID: 694dcfd277f343ee6626ce2c085e92dee0de0cb12cf32f273ff693c5ac6507ae
Opcode Fuzzy Hash: a651003e8ebc171eb632addc95ea9937ca963a2a2458d74a4d48d0c6bb110ddf
Instruction Fuzzy Hash: 19112A31C1152CD7CF00DFE5E95ABEEBB78BF09711F124289D941B2181CB315951CB66

Function 00AF7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AF7E33
ScreenToClient.USER32(?,?), ref: 00AF7E4B
ScreenToClient.USER32(?,?), ref: 00AF7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AF7E8A

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: df7ab67598c86ea78d13c41d2259c7e8e17902bb72162426a2c975f30f43e332
Instruction ID: 363bfd162c90c3ae8a03da1abab678a816b5c35b2c2a7aea11a8b1c607a78229
Opcode Fuzzy Hash: df7ab67598c86ea78d13c41d2259c7e8e17902bb72162426a2c975f30f43e332
Instruction Fuzzy Hash: 51112DB9D0420AAFDB41DFD9C984AAEBBB9FB08210F509066E915E2210D735AA55CF90

Function 00AC2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00AC2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC2DD6
GetCurrentThreadId.KERNEL32 ref: 00AC2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00AC2DE4

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: e98b71b8da5c99b5669fe5cd8b655cec8c5df3612abc04e2b0ac93e02694935e
Instruction ID: d23c46f6ea5d57800747857adb0cac7423a585f19c34275897ca6105e8802645
Opcode Fuzzy Hash: e98b71b8da5c99b5669fe5cd8b655cec8c5df3612abc04e2b0ac93e02694935e
Instruction Fuzzy Hash: BAE06D711052287AD7205BE39D0DFFB7E6CEF52BB1F011119B106D50809AA08942C6B0

Function 00AF8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A79693
Part of subcall function 00A79639: SelectObject.GDI32(?,00000000), ref: 00A796A2
Part of subcall function 00A79639: BeginPath.GDI32(?), ref: 00A796B9
Part of subcall function 00A79639: SelectObject.GDI32(?,00000000), ref: 00A796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00AF8887
LineTo.GDI32(?,?,?), ref: 00AF8894
EndPath.GDI32(?), ref: 00AF88A4
StrokePath.GDI32(?), ref: 00AF88B2

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7653a7af3ac701e60121f066abc7610d56084455cf86c329b2b61b5a2a8305fc
Instruction ID: 1a394f15bdceca2ada97a9778706de23bf084704d468eff139e104a3c61946cd
Opcode Fuzzy Hash: 7653a7af3ac701e60121f066abc7610d56084455cf86c329b2b61b5a2a8305fc
Instruction Fuzzy Hash: 82F03A36041259BADB129FD5AD09FEE3E59AF06360F148101FA11650E1CB795522CBE9

Function 00A798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A798CC
SetTextColor.GDI32(?,?), ref: 00A798D6
SetBkMode.GDI32(?,00000001), ref: 00A798E9
GetStockObject.GDI32(00000005), ref: 00A798F1

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 41e00b1ebd717d9e25c8176eeff595fc92dcaf9c8ed3a45cd8fdb492496163a9
Instruction ID: 7aac3163a284aa8ce82518647fa47f3582ed6658821d0231dc207d09fed956c1
Opcode Fuzzy Hash: 41e00b1ebd717d9e25c8176eeff595fc92dcaf9c8ed3a45cd8fdb492496163a9
Instruction Fuzzy Hash: BFE06531244244AADB219BF5AD09BFD3F14EB51336F14C319F6FA580E1C3724651DB10

Function 00AC162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00AC1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00AC11D9), ref: 00AC163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AC11D9), ref: 00AC1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00AC11D9), ref: 00AC164F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 34bb1df727a8ce7f864085d13546c8e8de43d58d25729b30f20d2a7d059105f1
Instruction ID: 22a6fcf93f5691db3a5a1adb194a088267adcf59b132b47685e348589de661bc
Opcode Fuzzy Hash: 34bb1df727a8ce7f864085d13546c8e8de43d58d25729b30f20d2a7d059105f1
Instruction Fuzzy Hash: F4E08632601215DBDB205FF29F0DFA63B7CEF457A5F154808F245C9080DB344546C750

Function 00ABD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00ABD858
GetDC.USER32(00000000), ref: 00ABD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ABD882
ReleaseDC.USER32(?), ref: 00ABD8A3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 04490a20a3aec7aa0e1e8dbc9af4c51494e39e5ab760ee2c898df63bfaeb5e15
Instruction ID: 54ebb694e27e4a3a1e79738d58a3e28dba139a125a4c079efc75e41fd9999150
Opcode Fuzzy Hash: 04490a20a3aec7aa0e1e8dbc9af4c51494e39e5ab760ee2c898df63bfaeb5e15
Instruction Fuzzy Hash: 45E01AB0804208DFCB81DFE1DA08A7DBBB5FB08321F109409E846E7350CB384902EF40

Function 00ABD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00ABD86C
GetDC.USER32(00000000), ref: 00ABD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ABD882
ReleaseDC.USER32(?), ref: 00ABD8A3

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: de1ea2586b27da81aeac7c81cc75518a230189e31ad0e5f64b65e056e6bb33b8
Instruction ID: d8ef82505fab9238f35972ed32f669bf80c58b94358fe2a33defa124807dba99
Opcode Fuzzy Hash: de1ea2586b27da81aeac7c81cc75518a230189e31ad0e5f64b65e056e6bb33b8
Instruction Fuzzy Hash: 89E09A75804208DFCB91DFE5DA0867DBBB5FB08321B149449E94AE7350CB795906DF50

Function 00AD4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A67620: _wcslen.LIBCMT ref: 00A67625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00AD4ED4

Strings

*, xrefs: 00AD4E10
LPT, xrefs: 00AD4DFB

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: ec28ab676a45bb97d5eba845dd8f0f3477c9ea7b8ef12264567e6b535142e7e5
Instruction ID: 42d924a068a62179c360f267fb9d6ea18e8fbe8c2f8b8d305891321fca86d683
Opcode Fuzzy Hash: ec28ab676a45bb97d5eba845dd8f0f3477c9ea7b8ef12264567e6b535142e7e5
Instruction Fuzzy Hash: 87915075A00244AFCB14DF58C584EAABBF1BF48704F18809AE40A9F362D735EE85CB91

Function 00A8E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A8E30D

Strings

pow, xrefs: 00A8E2E5, 00A8E302

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 6461d8b499ef39fda81cb4047ba8f120c8e61aa5bef43ddc2284508885c507ad
Instruction ID: 51b048eed9b9357eb4ae4bd22522f787980c0777842416708fe5c3a3e6a06d71
Opcode Fuzzy Hash: 6461d8b499ef39fda81cb4047ba8f120c8e61aa5bef43ddc2284508885c507ad
Instruction Fuzzy Hash: FC514771B2C202D6CF15F718CA057BE3BE4EB50B40F304998E0D6872A9EF358C859B96

Function 00A7E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00A7E1B1

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d3867b5e06dd8791f83ae8d303968c0d2ceb9d5eac70fcd0ce2031a30e791198
Instruction ID: 7ad343f818c21938b8ec6d527f1001804d8a8cbf1a116b92bfdb69941c36b5d8
Opcode Fuzzy Hash: d3867b5e06dd8791f83ae8d303968c0d2ceb9d5eac70fcd0ce2031a30e791198
Instruction Fuzzy Hash: 55512575604246EFDF15DF68C4816FA7BB8EF29310F24C095EC919B2D2DA309D82DB90

Function 00A7F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A7F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A7F2BB

Strings

@, xrefs: 00A7F2AF

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a50edc0d43e9d9a941e0a336ab963220e1d05dae304c693a3fcf025b2d03e5e6
Instruction ID: e6fa58b6ca0551dc1145e4dc7b938b1e9a53884ba740f3378f00f623c038f442
Opcode Fuzzy Hash: a50edc0d43e9d9a941e0a336ab963220e1d05dae304c693a3fcf025b2d03e5e6
Instruction Fuzzy Hash: 0C5175714187449BD320AF50DD86BAFBBF8FB84714F81884CF2D9410A5EB718529CB66

Function 00AE5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00AE57E0
_wcslen.LIBCMT ref: 00AE57EC

Strings

CALLARGARRAY, xrefs: 00AE57E6, 00AE57EB

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 2f0aa118bbb3d0f12f7e636c141125a38d66cf6f93db90568e4a26163be8d74c
Instruction ID: f61f85b39b3effe603e502b2ae0c05c56564deace2337a41998315076b95bbcc
Opcode Fuzzy Hash: 2f0aa118bbb3d0f12f7e636c141125a38d66cf6f93db90568e4a26163be8d74c
Instruction Fuzzy Hash: FE41AF31E002099FCB14DFBADA819BEBBF5FF59328F148169E505A7251E7309D81DB90

Function 00ADD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ADD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00ADD13A

Strings

|, xrefs: 00ADD10B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: bf221cd1c4a3c43b7c657e301334b505c1e2928f1d034e7400de6b2cf75b8aca
Instruction ID: 5d3ec11291b82902b12959d6b85cd49f607ed7a86e3b94920cbce9adf926a9ea
Opcode Fuzzy Hash: bf221cd1c4a3c43b7c657e301334b505c1e2928f1d034e7400de6b2cf75b8aca
Instruction Fuzzy Hash: 1C313E71D00209ABCF15EFA4CD85AEEBFB9FF04300F000119F815A6261E731AA46DB90

Function 00AF356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00AF3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00AF365C

Strings

static, xrefs: 00AF35BC

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 62cbbd679f0457d2faeafcc9e84491ad8c65f53bad27d8925c173a3932bd5ab7
Instruction ID: c3ee18af91a9792b177a397a9a30b65c44ea859183c79d7f504ce415995e48bb
Opcode Fuzzy Hash: 62cbbd679f0457d2faeafcc9e84491ad8c65f53bad27d8925c173a3932bd5ab7
Instruction Fuzzy Hash: E7318E72100208AEDF109FA8DC40EBB73A9FF88724F109619F9A5D7290DA30ED81D760

Function 00AF4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00AF461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AF4634

Strings

', xrefs: 00AF458E

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0acfdd5af97ae4d6519bd25980890a961d1fa964f49ca0e1e7c527a48ea57252
Instruction ID: 32dfd5498a33e9d9f07294de48a7f90de94a68b25fd6ef8bfc411364d1a00af9
Opcode Fuzzy Hash: 0acfdd5af97ae4d6519bd25980890a961d1fa964f49ca0e1e7c527a48ea57252
Instruction Fuzzy Hash: A6310674A012099FDB14DFA9C990BEA7BB5FF49300F14416AEA05EB351E770A941CF90

Function 00AF31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00AF327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AF3287

Strings

Combobox, xrefs: 00AF3249

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d642f752842b280d9d8419c12d390eb303dfc62765039c3871c721476c928c03
Instruction ID: fae30bf85b49278667005a99dc827b9eb373905fb399e5c41ac57d279a1f54c2
Opcode Fuzzy Hash: d642f752842b280d9d8419c12d390eb303dfc62765039c3871c721476c928c03
Instruction Fuzzy Hash: A011907220020C6FEF219F94DC80EFB376AEBA4364F104625FA1997290D6759D519760

Function 00AF3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A6604C
Part of subcall function 00A6600E: GetStockObject.GDI32(00000011), ref: 00A66060
Part of subcall function 00A6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A6606A

GetWindowRect.USER32(00000000,?), ref: 00AF377A
GetSysColor.USER32(00000012), ref: 00AF3794

Strings

static, xrefs: 00AF3757

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ffebea0c20ea85fae3c9286a777cccf3940be9366613c74eefa4ccc16b5c5585
Instruction ID: 20a946b7f4db0c3800afdbad6fbed234598a95fdbc835d79e710e494ad94206c
Opcode Fuzzy Hash: ffebea0c20ea85fae3c9286a777cccf3940be9366613c74eefa4ccc16b5c5585
Instruction Fuzzy Hash: 481117B2610209AFDF00EFA8CD45AFA7BB8EB08354F004914FA56E2250D735E851DB50

Function 00ADCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00ADCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00ADCDA6

Strings

<local>, xrefs: 00ADCD66

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 45c81cac7b409bf9e9402562921030ac4a7811f7dc0940322fb7482c699ee0ba
Instruction ID: 439b04c567b99505f2bb5c3bcbdf99413bb3e372f46f3c638d0006e0541cc8e9
Opcode Fuzzy Hash: 45c81cac7b409bf9e9402562921030ac4a7811f7dc0940322fb7482c699ee0ba
Instruction Fuzzy Hash: 3711A3712056367ED7285BA68C45EF7BEAAEF127B4F804227B18A83280D6649941D6F0

Function 00AF3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00AF34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00AF34BA

Strings

edit, xrefs: 00AF348F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: c41d3cb9ca77a3a0d93d760ae3b67c14d1512ff42ddc48608cbad4f062a74e28
Instruction ID: b5756909f20ae6d17fe861569460e4870b57008f91cc469e7cdda298923a4769
Opcode Fuzzy Hash: c41d3cb9ca77a3a0d93d760ae3b67c14d1512ff42ddc48608cbad4f062a74e28
Instruction Fuzzy Hash: 6C118C7210020CABEF228FE5DC84ABB376AEB05776F508724FA61931E0C775DC919B64

Function 00AC6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

CharUpperBuffW.USER32(?,?,?), ref: 00AC6CB6
_wcslen.LIBCMT ref: 00AC6CC2

Strings

STOP, xrefs: 00AC6CBC, 00AC6CC1

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: b971c4b65cf813236bf71ca776bf664ab864df9780e7c7a10d1baa2704853cc2
Instruction ID: 9d231e631970f377eefe1e09cdddb3955b38329fc46ba9b69a6b9eff6ecbaf35
Opcode Fuzzy Hash: b971c4b65cf813236bf71ca776bf664ab864df9780e7c7a10d1baa2704853cc2
Instruction Fuzzy Hash: E701C032A049268BCB21EFFDDD80EBF77B9EA65724B12052CE86297194EB31D900C650

Function 00AC1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AC3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AC1D4C

Strings

ListBox, xrefs: 00AC1D16
ComboBox, xrefs: 00AC1CEB

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4cbbc7fdaf7c66360531d6aa2891df9b10d712135c5ba01a3e1106db5c1688c7
Instruction ID: 75d3097c50b73f227f7c3b6583e464e82f03bbeb21ba0673485c0dace3f37ccd
Opcode Fuzzy Hash: 4cbbc7fdaf7c66360531d6aa2891df9b10d712135c5ba01a3e1106db5c1688c7
Instruction Fuzzy Hash: 6E01B575701218ABCF15EBA4CE55EFF73B8EB57350B14091DB823672D2EA3099098660

Function 00AC1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AC3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00AC1C46

Strings

ListBox, xrefs: 00AC1C10
ComboBox, xrefs: 00AC1BE5

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 927c17c2fce6fed4fcb70aae933d5c26f92b6a76908e2c2ce87f79ec39b6d730
Instruction ID: c3a7914464b2f700cae2ac352f0542c740f2f24ea9931c7201235a8600fc4397
Opcode Fuzzy Hash: 927c17c2fce6fed4fcb70aae933d5c26f92b6a76908e2c2ce87f79ec39b6d730
Instruction Fuzzy Hash: C40171757851086ACF14EB90CB55EFF77A89B12340B140019B40667282EA249A18A6B1

Function 00AC1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AC3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00AC1CC8

Strings

ListBox, xrefs: 00AC1C94
ComboBox, xrefs: 00AC1C69

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0220f1c56c4f58a3bc9d2ec31156a1430fdf500a8cc3d576df305b3162ab3b29
Instruction ID: cf729feb2c2853f837494046dcc90f05a4167aad6722f1ea3d16915bc28f72b7
Opcode Fuzzy Hash: 0220f1c56c4f58a3bc9d2ec31156a1430fdf500a8cc3d576df305b3162ab3b29
Instruction Fuzzy Hash: A801A2B17841186BCB14EBA1CB51FFF73BC9B12340F150419B806B7282EA349F19D672

Function 00AC1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AC3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00AC1DD3

Strings

ListBox, xrefs: 00AC1DA0
ComboBox, xrefs: 00AC1D75

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 61edeba1e242d4ed0d97bb5b61f188d7abd51fdbb8135c40695de9124b405a63
Instruction ID: 8119a628d5be4fdca332835b8cb4ca961d47fd088ca3d969e73564fdfc8c4f96
Opcode Fuzzy Hash: 61edeba1e242d4ed0d97bb5b61f188d7abd51fdbb8135c40695de9124b405a63
Instruction Fuzzy Hash: F5F0A471B412186BDB15FBA4DE56FFF77BCAB12350F040919B822B72C2DA70590C8271

Function 00AE747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AE7493
_wcslen.LIBCMT ref: 00AE74B9

Strings

3, 3, 16, 1, xrefs: 00AE7483

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 80a801c5138368ef381d40e33929a4ce3578a3e3c88df9629da585b847759ca0
Instruction ID: e3ad2f4f410e173b9ddfd3ffc4125856c45644311a036f45fd6667a4ae016bb9
Opcode Fuzzy Hash: 80a801c5138368ef381d40e33929a4ce3578a3e3c88df9629da585b847759ca0
Instruction Fuzzy Hash: 37E0611231536110A331337BEDC197F66C9CFCD750710182BF989C22E6EB94CD9293A0

Function 00AC0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AC0B23

Strings

AutoIt, xrefs: 00AC0B17
Error allocating memory., xrefs: 00AC0B1C

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 240aa704bb4a87cc412c6a5445d476b0cf0a659b513adefb7ee4c8eff5cce1ab
Instruction ID: 759ab805002e1bdf4acab01fbffc52326d4616cf2bcbfb20109b68bdbb12917c
Opcode Fuzzy Hash: 240aa704bb4a87cc412c6a5445d476b0cf0a659b513adefb7ee4c8eff5cce1ab
Instruction Fuzzy Hash: 03E0D83228431C3AD22037D57E03FD97A848F05B20F10442AF74C954C38AE1259046E9

Function 00A80D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A7F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A80D71,?,?,?,00A6100A), ref: 00A7F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00A6100A), ref: 00A80D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A6100A), ref: 00A80D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A80D7F

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 07263f7e36c5cf2e13eaa345a5d24f6a2c27f4563edc7e2ef53bd9d97fc9a65f
Instruction ID: 332b03f743af1ac69a5025097ccf50ae3f9d3c9ca64c419f180dd0206cffc157
Opcode Fuzzy Hash: 07263f7e36c5cf2e13eaa345a5d24f6a2c27f4563edc7e2ef53bd9d97fc9a65f
Instruction Fuzzy Hash: 69E039702003018FD360AFE9D904A967BE4AF00740F04892DE886C7651EBB0E448CB91

Function 00AD3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00AD302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00AD3044

Strings

aut, xrefs: 00AD3038

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: db23ae86de058a45be2e80e40ea0f2d31d584380b759d58d520500bd06bd16c2
Instruction ID: dedc115c109755aa714d14ca5f05d4ef9a0dfc7a3eceacc6d75234831929d0c9
Opcode Fuzzy Hash: db23ae86de058a45be2e80e40ea0f2d31d584380b759d58d520500bd06bd16c2
Instruction Fuzzy Hash: FFD05E72500328A7DA30E7E5AD0EFDB3B6CDB05760F0006A1B655E20A2DAB09985CAD0

Function 00ABD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00ABD220

Strings

X64, xrefs: 00ABD2A8
%.3d, xrefs: 00ABD22B

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 78b6e747784bb85b1970015e3698d3131b349b4e1ec4489a2403aab7a7686a3f
Instruction ID: 7fa38b8b9bd9691ce7b98c03e390f192abb6981f595880693403ba491e357dcd
Opcode Fuzzy Hash: 78b6e747784bb85b1970015e3698d3131b349b4e1ec4489a2403aab7a7686a3f
Instruction Fuzzy Hash: 13D012B1C09158E9CB50D6D0DD458F9B7BCEB48301F50C462F90A92042F624C609AB65

Function 00AF2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AF232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00AF233F

Part of subcall function 00ACE97B: Sleep.KERNEL32 ref: 00ACE9F3

Strings

Shell_TrayWnd, xrefs: 00AF2325

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5d724b08d7e980a96083c49ff2e3af27b8b3c9b818a85848db282d198b5eaf10
Instruction ID: e89ed87287a6d7e57adbb4a823c2b7954fc17f8aa73674481cca1f2682e95134
Opcode Fuzzy Hash: 5d724b08d7e980a96083c49ff2e3af27b8b3c9b818a85848db282d198b5eaf10
Instruction Fuzzy Hash: B8D012763D4314B7E6A4F7F1ED0FFD6BA549B00B20F0149167749EA1E0C9F4A802CA54

Function 00AF2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AF236C
PostMessageW.USER32(00000000), ref: 00AF2373

Part of subcall function 00ACE97B: Sleep.KERNEL32 ref: 00ACE9F3

Strings

Shell_TrayWnd, xrefs: 00AF2365

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 83a54608c642b1e3d86d3230996297906502447ab68befc3765ad19e73149a57
Instruction ID: e7c80a2580e16f365276e5a5bba950ba2948f3faabdf1b4af796c8bc3bb5eab0
Opcode Fuzzy Hash: 83a54608c642b1e3d86d3230996297906502447ab68befc3765ad19e73149a57
Instruction Fuzzy Hash: 54D0C9723C5314BAE6A4E7B1AD0FFD6A6549B05B20F0149167645EA1E0C9B4A802CA54

Function 00A9BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00A9BE93
GetLastError.KERNEL32 ref: 00A9BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A9BEFC

Memory Dump Source

Source File: 00000000.00000002.1410049779.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1410016577.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410172834.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410263707.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1410300444.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 66c80a94b78d57b977bc473369ddecdd3a4ce4a045317e431cc431cb65cfd059
Instruction ID: 0e7feb5051c034d7b7612c4d9ca63aea2465a9063dcf012a0aff7ef8d41c93ed
Opcode Fuzzy Hash: 66c80a94b78d57b977bc473369ddecdd3a4ce4a045317e431cc431cb65cfd059
Instruction Fuzzy Hash: 8A41A434720206AFCF21DFA5EE44ABABBE9AF41320F144159F959571A1DB308D01CB70

Analysis Process: firefox.exePID: 7872, Parent PID: 3964COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000213C7CC2E77 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00000213C7CC2E9C

Memory Dump Source

Source File: 00000012.00000002.2591708958.00000213C7CC0000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213C7CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_213c7cc0000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: 93f2489682094142743f189a6fe51939bbe11afa84147573e69701a286685653
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: C8A3F031614A498BDB2DDF28DC897E977E6FB95700F14822EDD4BD3241DB34EA428AC1

Function 00000213C7CBBE42 Relevance: .1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.2591243918.00000213C7CBB000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213C7CBB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_213c7cbb000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8437dd4b95c8efcda45e67599244849e889f37554fc52ed52bbe25a3d8689f
Instruction ID: 9bb1add42eac4ba62cdc5c23ff10508f943ebebe47a32710ccf3a686744bdd26
Opcode Fuzzy Hash: de8437dd4b95c8efcda45e67599244849e889f37554fc52ed52bbe25a3d8689f
Instruction Fuzzy Hash: 6921843151CB8D4FD745EF28C844A96BBE0FB69310F1506AFE099C7292DB34D945C782

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.1435156205.0000023D4CA60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1494881678.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552745259.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483579336.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1538877914.0000023D57967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1481103957.0000023D57967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1493545786.0000023D57967000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1534702339.0000023D57A19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1494881678.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534702339.0000023D57A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1494881678.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1527590236.0000023D4E4C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534702339.0000023D57A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1494881678.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552745259.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483579336.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1538877914.0000023D57967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1481103957.0000023D57967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1493545786.0000023D57967000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1526880872.0000023D4F9DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1488721461.0000023D4F9DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1537605790.0000023D4F9DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1526880872.0000023D4F9DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1488721461.0000023D4F9DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1537605790.0000023D4F9DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1534702339.0000023D57A19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1494881678.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534702339.0000023D57A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1494881678.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1527590236.0000023D4E4C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534702339.0000023D57A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1550505239.0000023D4DFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2586892427.00000213C770A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2587623210.00000226BC80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1550505239.0000023D4DFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2586892427.00000213C770A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2587623210.00000226BC80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1550505239.0000023D4DFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2586892427.00000213C770A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2587623210.00000226BC80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1538877914.0000023D57956000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1493545786.0000023D57954000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1481740767.0000023D57954000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1494881678.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552745259.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483579336.0000023D55AC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1538877914.0000023D57967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1481103957.0000023D57967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1536371933.0000023D57373000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1572439207.0000023D5733A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1546649541.0000023D4F80D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549354410.0000023D4F80D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1554593975.0000023D4F80F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.7:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49907 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49915 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49916 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dea8bdd6-ded2-44c3-b4aa-716f26b8b3f0.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dea8bdd6-ded2-44c3-b4aa-716f26b8b3f0.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre